S 4.391 Secure operation of OpenLDAP

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

To maintain the security of OpenLDAP also during operation, a series of steps must be taken at regular intervals to detect any problems in advance.

The following aspects in particular should be taken into account when operating OpenLDAP:

• It must be ensured that the slapd server with the intended configuration is started. Using the "-f [path/file name]" parameter, a slapd.conf to be used is specified; a slapd-config directory to be used is defined using the "-F [path]" parameter. It is important to note that the configurations do not supplement each other when both parameters are used at the same time, but that the slap-config configuration is overwritten by the slapd.conf configuration.
• The slapd server should be restricted to the required logs when starting the server using the "-h [logs]" parameter, for example "-h ldaps://".
• The slapd server must be restricted to a runtime directory using the "-r [directory]" parameter (chroot mechanism). This directory must include all configuration files and databases.
• Prior to the planned stopping of the slapd server, it should be checked if it is still performing operations or if there are still connections to clients (see S 4.407 Logging when using OpenLDAP). This applies especially to operations which are not continued in the event of a reboot, for example, indexing. The slapd server is not equipped with a stop command; to stop the server, the associated process must be terminated, for example using "kill -INT 'cat /usr/local/var/slapd.pid'".
• Changes to the configuration must be documented carefully so that it is possible at any time to determine who made which changes and for what reasons. It is recommended to use a revision control program (such as git, mercurial or RCS, for example) to record all changes to the configuration files. This makes it possible to restore the configuration at any time to a previous version of the configuration and ensures it is possible to determine who made which changes and for what reasons.
• After every change to the configuration, it is necessary to first check if the syntax of the configuration file is correct, and this using the slaptest program. Syntax errors in the configuration file could otherwise result in the slapd server not starting or security gaps occurring.
• After every change to access authorisations, it is necessary to check if the currently performed change is effective, and this using the slapacl program.
• The administrators must promptly obtain information on any current security gaps existing in the software used (see also S 2.35 Obtaining information on security weaknesses of the system). Information on new detected security gaps is published by the OpenLDAP developers in the "Issue Tracking System" at http://www.openldap.org/its.
• The safeguards described in S 2.64 Checking the log files must also be implemented for OpenLDAP. The storage location and size of the logs depend on S 4.407 Logging when using OpenLDAP.
• The secure operation also includes contingency planning and data backup safeguards to be carried out at regular intervals (see S 6.136 Creation of a contingency plan for the failure of a Samba server and S 6.150 Data backup when using OpenLDAP).

Review questions:

• Is the slapd server restricted to a runtime directory?
• Is it checked after changes to the configuration and access rights of OpenLDAP that the syntax is correct and the new access rights are effective?
• Is it ensured that the administrators are informed in advance of new security gaps in OpenLDAP?