S 4.153 Secure installation of Novell eDirectory

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Upon completion of the planning of an eDirectory directory system (see S 2.236 Planning the use of Novell eDirectory), eDirectory must be installed on the relevant servers. An eDirectory server is not completely configured during the installation phase, and so some of the desired security settings may not be enabled yet. It is therefore recommended to perform the initial configuration in a protected environment or load a predefined, default configuration as an alternative.

Figure: eDirectory installation wizard

If an eDirectory server is installed in an existing directory tree, it will be necessary to specify its exact context. It is very difficult to move the server within the tree after it has been installed.

The local security settings are also configured initially during the installation, amongst other things: The most important basic settings relate to:

• the definition of the eDirectory tree,
• the eDirectory access authorisations,
• the eDirectory inheritance settings, and
• the security settings for LDAP access.

These settings can be specified to some extent during installation, but some will only be initialised by default values. For servers

initially representing a new eDirectory tree, the certificate server component of eDirectory must be installed first before an SSL-supported LDAP access may be used. The alternative regarding this is that the eDirectory server is integrated into an existing eDirectory tree.

Depending on which eDirectory modules are used, it is necessary to set up a secure installation configuration for each module that prevents access as long as the server is in the initial configuration phase and until the specified security policies have been implemented. Additional recommendations on this subject can be found in S 4.155 Secure configuration of the Novell eDirectory.

Figure: Summary of the installation

In general, the following must be considered from a security perspective during installation:

• The applicable access settings for the directory system after an eDirectory installation depend on whether the software was newly installed or whether an upgrade was performed.
• Additional upgrade mechanisms may change the default settings, e.g. the incorporation of a Windows NT domain into an eDirectory tree.
• If a new server is to be added to an existing eDirectory tree, the implicit inheritance mechanism allows significant reduction of the time required for initial configuration.
• Special care must be taken when installing the eDirectory server, because it stores sensitive data during subsequent operation.

eDirectory servers must only be installed and operated on servers that are located in a physically secure environment (see also S 1.29 Adequate siting of an IT system). This is particularly applicable to eDirectory servers containing the partition with the security container.

Review questions:

• Is the initial configuration of Novell eDirectory performed in a protected environment?