T 3.110 Incorrect configuration of OpenLDAP

OpenLDAP is a directory service with a wide range of functions. This variety of functions is achieved by the modular structure of the application and the comprehensive adaptability as open source software. In addition, it is a client-server architecture requiring configurations both on the server and on the client side. All in all, OpenLDAP is a highly complex application.

From an improper configuration, the following threats might arise among other things:

• Administrators might perform adaptations to the configuration of OpenLDAP which are technologically feasible, but not admissible from a technical perspective. For example, an administrator might change a default schema of OpenLDAP to obtain additional attributes for directory service objects. When using globally uniform default schemata, this results in incompatibilities with other directory services and might cause problems during updates of OpenLDAP or during the migration to another directory service. The improper implementation might also violate LDAP standards.
• Incorrect entries in the central configuration files of the slapd server might result in an undesired behaviour of the server or in the server becoming unusable, for example when a database is accidentally set into a read-only-state. For improper instructions to backends, it is possible that data is lost if such instructions do not match the database used, for instance.
• OpenLDAP can be installed from the binary packages provided for an operating system distribution. For several distributions, the slapd server is started automatically with a default configuration after the installation has been completed. Such a default configuration is often inadequate; in general, safeguards such as the encryption of communication connections are often not configured.
• Configuration settings can be made in the wrong file. If, for example, the user settings are entered in the file for global client settings (usually ldap.conf) instead of in the correct file (usually ~/.ldaprc), they remain ineffective in most cases. If client settings are added to the configuration of the server (usually slapd.conf), they might impair the operability of the entire system. This applies, for example, if the setting, useful for clients, that a communication partner must authenticate using a certificate, is applied to the servers. Most clients do not have an appropriate certificate.
• Access Control Lists (ACLs) are an essential security mechanism of OpenLDAP. The effectiveness of the access right management depends heavily on the correct configuration of the ACLs. If, for instance, a specific user is to be prohibited from accessing a directory service, an administrator can realise this by means of a corresponding access rule at the end of the existing set of rules. However, such a rule does often not become effective, since checking the set of rules is terminated after the first applicable criterion.