S 4.382 Selecting and checking the OpenLDAP installation packages
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
Depending on the infrastructure used, it must be decided if OpenLDAP is installed from a source text package or from a binary package. If an operating system distribution is used, OpenLDAP is often also included as binary package. This offers the advantage that dependencies with other software packages are dissolved automatically in most cases and, in addition, required packages are installed subsequently. In each case, a suitable current version must be selected and purchased and its authenticity must be checked (see also S 4.177 Assuring the integrity and authenticity of software packages). The selection and origin of the software to be installed as well as the process used to check the integrity of the software must be documented.
General information on how to select the version
At regular intervals, the OpenLDAP developers make the current source text and interim versions of the software available using a version administration program. From this version administration program, the latest version of all files can be obtained at all times (head branch).
At irregular intervals, a development version reached is separated from further development, i.e. no more new functions are deliberately added to this version (also referred to as feature freeze). This software version is cleaned, tested and published as a release. A release is assigned a version number in the form [software generation].[main version].[release no.], for example 2.4.23.
OpenLDAP can be used as open source software for a number of different operating systems and in numerous environments. It is not possible that a release is tested by the OpenLDAP developers in all possible constellations and for all possible application scenarios. However, the OpenLDAP developers carefully evaluate the feedback of users and professional distributors given regarding a release. If problems are detected, a new release is generally provided. If a release is used by experienced users and distributors over a sufficiently long period of time and if there are no problems, the OpenLDAP developers declare the release a stable release. Using the mailing list "openldap-announce" (http://www.openldap.org/lists/openldap-announce), the OpenLDAP developers inform about releases. The list should be subscribed to in order to monitor the OpenLDAP development and the messages received should be archived.
Installation from a source code package
On the OpenLDAP web site, several globally distributed servers are referred to, from which the current release and stable release versions can be downloaded. Using a FTP server, older software versions are also provided for download. Thanks to the version administration system, the current development version and interim versions that do not correspond to a release are also available. In production environments, only releases or stable releases may be used. It is recommended to use the latest stable release version. Under no circumstances, the current development version or another version that is not recommended for operation may be used.
The OpenLDAP developers do not use digital signatures to secure the source text packages. However, the hash values are calculated by the compressed version of the source text of a release (file with the ending "tgz") using the MD5 and SHA1 methods and are communicated in the message associated to the release using the mailing list "openldap-announce". Before installing a package, both hash values, if possible, should be generated and compared with the expected values. If only one hash value is calculated, SHA1 is to be preferred, since the method is more secure. The software and information on the hash value must not be downloaded from the same server at the same time. Instead, the hash values from the mailing list "openldap-announce" must be used for examination.
Installation from binary packages in the distribution
If OpenLDAP is installed from the official installation sources of the distribution used, then the version to be used results, in general, from the offer provided by the distributor. If a package manager (for example, yum or rpm) is used, it also ensures the authenticity and integrity of the packages.
Installation from binary packages from other sources
If binary packages are obtained from installation sources that are not part of the distribution used, then it must be ensured that the provider of the sources is a trustworthy provider. In OpenLDAP, this applies in particular to Windows installation packages which are offered by software portals for download, but were not generated by the OpenLDAP developers. The subsequent selection of the version as well as examination of the authenticity of the binary packages are carried out as described in the section "Installation from a source text package" or in the section "Installation from binary packages in the distribution".
Review questions:
- Has the origin of the OpenLDAP installation packages been documented and has an integrity check been carried out?
- Is it ensured that only releases or stable releases are used in production environments?