S 4.155 Secure configuration of Novell eDirectory

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Any number of modules for adding functionality not normally available in a pure directory service may be added to the configuration of eDirectory. This includes the following:

• the LDAP server module, which allows LDAP clients to access user information,
• the iMonitor tool, which allows administrative access using a web browser,
• the SLP module (Service Location Protocol), which administrates service URLs and incorporates these into resource management,
• the ConsoleOne as administration platform of the eDirectory,
• the certificate server, which is always installed in the eDirectory tree during the initial installation of an eDirectory server,
• any additional modules used such as the module for supporting groupwise.

This results in a bundle of configuration tasks that is additionally complemented by the following topics:

• configuration of the directory tree hierarchy,
• configuration of the object access rights,
• configuration of the inheritance filters,
• configuration of the security equivalences between individual objects and/or object classes,
• configuration of the administration roles,
• configuration of the delegation of administrative tasks,
• configuration of the users and user groups,
• distribution of the key management objects (KMOs),
• configuration of the client access to the eDirectory,
• configuration of the partitions of the eDirectory directory database,
• configuration of the replicas of the eDirectory directory database,
• configuration of the DirXML interface used for synchronisation with external directory services,
• configuration of the system monitors.

All these tasks apply to the eDirectory software. However, it must not be forgotten that it is also necessary to securely configure the underlying operating system, and especially the configurations of the server access, network connections, and file system.

Depending on the operational scenario and the range of functions offered by the eDirectory server, it will be necessary to examine which additional modules are needed to operate eDirectory and therefore should be installed. Unused modules should not be installed, because every module installed can cause security problems when configured incorrectly.

A corresponding security plan must be drawn up for every module activated. This plan must then be implemented by specifying suitable configuration parameters (see also S 2.238 Specification of security guidelines for Novell eDirectory).

eDirectory offers broad capabilities for configuring the user access for the individual user accounts created in the directory. In addition to the individual configuration of individual user accounts, templates may also be used in order to provide numerous user accounts with identical configurations. The existing options include, amongst others:

• a limitation of the times when it is possible to log in to the user account,
• a limitation of the IP addresses login can be performed from,
• a limitation of the number of simultaneous logins to a user account,
• requirements for the password length and the period of validity of passwords.

Figure: Alfons features

Moreover, it is possible to directly disable user accounts or to have user accounts disabled automatically after a certain period.

The security of an eDirectory system also depends on the security of the client software used to access it. For this reason, the client computers and client programs also must be included in the planning of a secure eDirectory system configuration. Recommendations on this subject can be found in S 4.156 Secure configuration of the Novell eDirectory client software. Special safeguards must be implemented for administrative accesses to the eDirectory.

In general, an eDirectory system will not only consist of just one eDirectory server, but will instead consist of a cluster of servers (see also S 2.236 Planning the use of Novell eDirectory). In this case, the directory database can be distributed between the various servers in the form of individual partitions. Furthermore, the individual servers can mutually replicate the directory databases. Since this means there are several copies of a database partition available on different servers, it is possible to distribute the load. The servers will need to exchange information on all changes in this case to ensure the copies of the directories are up to date at all times. It is therefore necessary to draw up a replication concept. The following aspects, amongst other things, must be taken into account in doing so:

• Which server contains the master replica of an eDirectory partition?
• Which types of replication will be configured?
• Which servers should retain replicas of the eDirectory directory?
• Which eDirectory directory information must be replicated (definition of the filters)?
• Should changes to replicas of the directory be allowed and should such changes be transferred to the original (definition as type read/write or as read-only)?

Since a system is generally subject to constant change during ongoing operations, it is also necessary to permanently monitor the security and reconfigure it when necessary. More information can be found in S 4.159 Secure operation of Novell eDirectory.

Review questions:

• Are all eDirectory modules configured for the role they will assume?
• Have special protective safeguards been implemented for the administrative accesses to the eDirectory?