On 9/28/07, Howard Chu hyc@symas.com wrote:
Buchan Milne wrote:
On Thursday 27 September 2007 20:09:19 Howard Chu wrote:
Unfortunately, they show configuration for slurpd in their section on "Redundant LDAP Servers".
I wonder if it is worthwhile providing CIS with feedback?
Now that you've pointed it out, I went and downloaded it. I find the quality of the editing of this document to be pretty abysmal, but the factual content is at least fixable. I'll be sending some feedback to the editor shortly.
As usual, if you want to know "best practices", the best way to get that is just to ask us or read the docs we've already written...
Indeed, but unfortunately our esteemed security group bases their security standards on the CIS benchmarks (usually their changes reduce the technical quality at the expense of formatting etc.), so I suspect at some stage I'll be getting questions about an OpenLDAP standard (and I'll probably have to fix it up more than I have the Linux one ...).
Understood. As Tony pointed out, when I said "when you want to know" I of course meant "when one wants to know" because obviously you, Buchan, already know what you're doing.
For anyone curious, here's their document as plaintext with my commentary inserted.
Howard Chu wrote:
You really ought to run articles like this by us before publishing, to be sure you've got all the facts correct.
Center for Internet Security Benchmark for OpenLDAP v1.0
Introduction LDAP stands for Lightweight Directory Access Protocol defined in RFC 2251 and others and is based on X.500 directory services. LDAP servers are very popular including commercial servers such as Microsoft Active Directory, IBM Tivoli Directory Server, Novell eDirectory, and Sun Java System Directory Server. OpenLDAP is the most popular of the open source LDAP servers. LDAP servers are just one part of a typical network infrastructure, and their security depends in part on the security of the rest of the infrastructure. However this benchmark will focus primarily on the secure configuration of the OpenLDAP server.
Applicability The benchmark was developed and tested using OpenLDAP version 2.3 on Fedcora Core 6, however most of the content will apply to other
...
Thanks for reproducing this document. I'm glad I didn't fill anything out to download it.
Am I the only one who noticed this: <quote> What is the Benchmark? The Benchmark is a compilation of security configuration actions and settings that "harden" MySQL databases. It recommends Level 1 Benchmark guidance, representing the prudent level of minimum due care for operating system security. </quote> ?
From this example, I would have to recommend strongly against
following the advice of this site.