[Date Prev][Date Next]
Re: Center for Internet Security benchmark for OpenLDAP
On 9/28/07, Howard Chu <firstname.lastname@example.org> wrote:
> Buchan Milne wrote:
> > On Thursday 27 September 2007 20:09:19 Howard Chu wrote:
> >>> Unfortunately, they show configuration for slurpd in their section
> >>> on "Redundant LDAP Servers".
> >>> I wonder if it is worthwhile providing CIS with feedback?
> >> Now that you've pointed it out, I went and downloaded it. I find the
> >> quality of the editing of this document to be pretty abysmal, but the
> >> factual content is at least fixable. I'll be sending some feedback to the
> >> editor shortly.
> >> As usual, if you want to know "best practices", the best way to get that is
> >> just to ask us or read the docs we've already written...
> > Indeed, but unfortunately our esteemed security group bases their security
> > standards on the CIS benchmarks (usually their changes reduce the technical
> > quality at the expense of formatting etc.), so I suspect at some stage I'll
> > be getting questions about an OpenLDAP standard (and I'll probably have to
> > fix it up more than I have the Linux one ...).
> Understood. As Tony pointed out, when I said "when you want to know" I of course
> meant "when one wants to know" because obviously you, Buchan, already know what
> you're doing.
> For anyone curious, here's their document as plaintext with my commentary inserted.
> Howard Chu wrote:
> > You really ought to run articles like this by us before publishing, to be sure
> > you've got all the facts correct.
> >> Center for Internet Security Benchmark for OpenLDAP v1.0
> >> Introduction LDAP stands for Lightweight Directory Access Protocol defined
> >> in RFC 2251 and others and is based on X.500 directory services. LDAP
> >> servers are very popular including commercial servers such as Microsoft
> >> Active Directory, IBM Tivoli Directory Server, Novell eDirectory, and Sun
> >> Java System Directory Server. OpenLDAP is the most popular of the open
> >> source LDAP servers. LDAP servers are just one part of a typical network
> >> infrastructure, and their security depends in part on the security of the
> >> rest of the infrastructure. However this benchmark will focus primarily on
> >> the secure configuration of the OpenLDAP server.
> >> Applicability
> >> The benchmark was developed and tested using OpenLDAP version
> >> 2.3 on Fedcora Core 6, however most of the content will apply to other
Thanks for reproducing this document. I'm glad I didn't fill anything
out to download it.
Am I the only one who noticed this:
What is the Benchmark?
The Benchmark is a compilation of security configuration actions and
settings that "harden" MySQL databases. It recommends Level 1
Benchmark guidance, representing the prudent level of minimum due care
for operating system security.
>From this example, I would have to recommend strongly against
following the advice of this site.