S 4.156 Secure configuration of the Novell eDirectory client software

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Upon completion of the planning and installation of an eDirectory system (see S 2.236 Planning the use of Novell eDirectory), the directory system, including its client software, must be installed on the relevant computers.

Due to the large number of possible applications and services coming into question as client software for eDirectory, specific configuration options are not addressed in detail below. Amongst other things, it is also possible to develop your own client software using standardised LDAP interfaces to communicate with eDirectory.

The following general information should be considered in any case:

• The relevant safeguards in the IT-Grundschutz Catalogues for the respective underlying operating system must also be applied to secure the respective client installation.
• If the client software must establish a secure LDAP connection to the eDirectory, which is protected using SSL, the client must be provided with a corresponding root certificate that it may use to verify the authenticity of the SSL server certificate.

eDirectory is administrated using the ConsoleOne program from a client. The security of the eDirectory installation also depends on the integrity of the clients used for the purpose of administration. It is therefore particularly important to secure these clients.

On the one hand, the integrity of the respective operating system platform must be protected for client software used for administrative purposes. For this, access restrictions may be configured for system files, for example, unless such restrictions are already present in the pre-setting of the operating system. In addition to the protection of the underlying operating system platform of the client, the administration software itself also requires protection. By assigning appropriate access restrictions, the directories where the ConsoleOne and the corresponding additional software are installed must be protected against manipulations or overwriting.

The additional module NMAS (Novell Modular Authentication Services) is available specifically for the Novell client for Windows. This module allows configuration of additional authentication methods (e.g. using smart card, biometrics, RADIUS protocol) for access to the eDirectory. Combinations of authentication methods may also be used. On the eDirectory side, access rights can be configured depending on the authentication method used when using this module.

Review questions:

• Protected LDAP connection from client software to the eDirectory using SSL: Does the client possess a corresponding root certificate?