S 5.20 OpenLDAP
Description
This module describes the basic security features of OpenLDAP. OpenLDAP is a directory service available for free providing information in a data network using any objects, for example users or computers, in a defined manner. The information can include simple attributes such as the names or numbers of objects or also complex formats such as photos or certificates for electronic signatures. Typical fields of application are address books or user administration systems, for instance.
OpenLDAP is a reference implementation for a server within the framework of the Lightweight Directory Access Protocol (LDAP). As open source software, OpenLDAP is available for a number of operating systems.
Scope of the module
This module examines the threats and safeguards applying specifically to OpenLDAP. For this purpose, OpenLDAP version 2.4 is taken as basis. General security recommendations for directory services can be found in module S 5.15 General directory service. The safeguards described there are explained in detail and expanded upon in this module. This module must be applied to every server of the examined information system on which the slapd daemon of OpenLDAP is run.
Threat scenario
The following typical threats to the IT-Grundschutz of OpenLDAP are assumed to exist:
Force Majeure
T 1.2 | Failure of the IT system |
Organisational Shortcomings
T 2.1 | Lack of, or insufficient, rules |
T 2.2 | Insufficient knowledge of rules and procedures |
T 2.7 | Unauthorised use of rights |
T 2.28 | Violation of copyright |
T 2.155 | Lack of, or inadequate, planning of OpenLDAP |
Human Error
T 3.8 | Improper use of the IT system |
T 3.9 | Improper IT system administration |
T 3.13 | Passing on false or internal information |
T 3.88 | Errors in the assignment of access rights |
T 3.110 | Incorrect configuration of OpenLDAP |
T 3.111 | Inadequate separation of offline and online access to OpenLDAP |
Technical Failure
T 4.10 | Complexity of access possibilities to networked IT systems |
T 4.13 | Loss of stored data |
T 4.22 | Software vulnerabilities or errors |
T 4.33 | Poor-quality or missing authentication |
T 4.67 | Failure of directory services |
Deliberate Acts
T 5.16 | Threat during maintenance/administration work |
T 5.18 | Systematic trying-out of passwords |
T 5.19 | Abuse of user rights |
T 5.20 | Misuse of administrator rights |
T 5.21 | Trojan horses |
T 5.65 | Denial of services in a database system |
T 5.71 | Loss of confidentiality of classified information |
T 5.78 | DNS spoofing |
T 5.85 | Loss of integrity of information that should be protected |
T 5.144 | Compromising of directory services due to unauthorised access |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
To be able to adequately secure the data processed using OpenLDAP, the underlying server operating system must be protected accordingly. The protection of the latter is not covered in this module and is handled in the corresponding modules in Layer S 3 instead. If for example, Unix is used as platform, module S 3.2 Servers under Unix must be taken into consideration.
A series of safeguards need to be implemented to set up OpenLDAP successfully, starting with the design and installation and continuing through to the operation of OpenLDAP. The steps to take to accomplish this as well as the safeguards to consider in each of the steps are listed in the following.
Planning and design
If the general planning phase for the use of the directory service is complete, then subconcepts for the use of OpenLDAP must be created that take all applicable general concepts and policies into account. Safeguard S 3.85 Introduction to OpenLDAP is recommended as an introduction and should be considered first. It contains an overview of the OpenLDAP structure and the associated terminology. The general planning methodology to follow is explained in S 2.484 Planning Open LDAP. During the planning phase of OpenLDAP, important decisions on the use of backends must be taken among other things, see S 2.485 Selection of backends for OpenLDAP. Before OpenLDAP is configured, a specific security policy must be drawn up for OpenLDAP in advance (see S 2.405 Drawing up a security policy for the use of directory services).
Purchasing
After finishing the conceptual planning phase, the integrity and authenticity of the packages to be used for installation (source text or binary packages) must be checked (see S 4.382 Selecting and checking the OpenLDAP installation packages).
Implementation
Before OpenLDAP is installed on an IT system, its operating system must first be configured and protected adequately. In addition, any required support programs determined during the planning phase must be installed. For the actual installation and subsequent basic configuration, a number of aspects described in S 4.383 Secure installation of OpenLDAP, S 4.384 Secure configuration of OpenLDAP, S 4.385 Configuration of the database used by OpenLDAP, S 4.386 Restriction in attributes in OpenLDAP, S 4.387 Secure assignment of access rights to OpenLDAP, S 4.388 Secure authentication to OpenLDAP as well as in S 4.389 Partitioning and replication in OpenLDAP must be taken into account.
The secure installation of OpenLDAP is not a single operation. Instead, the software must be kept up to date, as described in safeguard S 4.390 Secure updating of OpenLDAP.
The administrators must receive training on the secure installation and secure operation of OpenLDAP. The most important subjects to be covered by such a training course are described in S 3.86 OpenLDAP training for administrators.
Operation
During regular operations, it must be ensured that the documentation is up-to-date. It is also necessary to carefully administer OpenLDAP in addition to administering the underlying system (see S 4.391 Secure operation of OpenLDAP). To be able to detect any emerging problems in good time, the corresponding safeguard S 4.407 Logging when using OpenLDAP should be taken into consideration. To protect the confidentiality and integrity of the data transmitted, secured communication between the OpenLDAP server and the clients must always be maintained in addition (see S 5.170 Secure communication connections when using OpenLDAP).
Disposal
The aspects to be taken into account for the proper disposal of OpenLDAP are described in detail in safeguard S 2.410 Orderly withdrawal of a directory service from operation.
Contingency Planning
Aspects relating to contingency planning for OpenLDAP are the subject of safeguard S 6.106 Creation of a business continuity plan for the failure of a directory service. The data backup procedure to be following in OpenLDAP is described in S 6.150 Data backup when using OpenLDAP.
The bundle of security safeguards to be used for the "OpenLDAP" module is presented in the following:
Planning and design
S 2.405 | (A) | Drawing up a security policy for the use of directory services |
S 2.484 | (A) | Planning OpenLDAP |
S 2.485 | (A) | Selection of backends for OpenLDAP |
S 3.85 | (W) | Introduction to OpenLDAP |
Purchasing
S 4.382 | (C) | Selecting and checking the OpenLDAP installation packages |
Implementation
S 3.86 | (A) | OpenLDAP training for administrators |
S 4.383 | (B) | Secure installation of OpenLDAP |
S 4.384 | (A) | Secure configuration of OpenLDAP |
S 4.385 | (B) | Configuration of the database used by OpenLDAP |
S 4.386 | (B) | Restriction in attributes in OpenLDAP |
S 4.387 | (A) | Secure assignment of access rights to OpenLDAP |
S 4.388 | (B) | Secure authentication to OpenLDAP |
S 4.389 | (B) | Partitioning and replication in OpenLDAP |
Operation
S 4.390 | (C) | Secure updating of OpenLDAP |
S 4.391 | (B) | Secure operation of OpenLDAP |
S 4.407 | (B) | Logging when using OpenLDAP |
S 5.170 | (C) | Secure communication connections when using OpenLDAP |
Disposal
S 2.410 | (B) | Orderly withdrawal of a directory service from operation |
Contingency Planning
S 6.150 | (B) | Data backup when using OpenLDAP |