TCAT-AS-000690 - LDAP authentication must be secured.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

JNDIRealm is an implementation of the Tomcat Realm interface. Tomcat uses the JNDIRealm to look up users in an LDAP directory server. The realm's connection to the directory is defined by the 'connectionURL' configuration attribute. This attribute is usually an LDAP URL that specifies the domain name of the directory server to connect to.

The LDAP URL does not provide encryption by default. This can lead to authentication credentials being transmitted across network connections in clear text.

To address this risk, Tomcat must be configured to use secure LDAP (LDAPS).

Solution

Identify the server IP that is providing LDAP services and configure the Tomcat user roles schema within LDAP. Refer to the manager and host-manager web.xml files for application specific role information that can be used for setting up the roles for those applications. The default location for these files is: $CATALINA_BASE/webapps/<AppName>/WEB-INF/web.xml

From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

Locate the <Realm> element in the server.xml file, add a nested <Realm> element using the JNDIRealm className and configure the associated LDAP settings as per the LDAP server connection requirements.

EXAMPLE:
This is for illustration purposes only. The user must modify the LDAP settings on a case by case basis as per your individual LDAP server and schema.

<Realm className='org.apache.catalina.realm.JNDIRealm'
connectionURL='ldaps://localhost:686'
userPattern='uid={0},ou=people,dc=myunit,dc=mil'
roleBase='ou=groups,dc=myunit,dc=mil'
roleName='cn'
roleSearch='(uniqueMember={0})'
/>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R6_STIG.zip

Item Details

References: CAT|I, CCI|CCI-000197, Rule-ID|SV-222965r879609_rule, STIG-ID|TCAT-AS-000690, STIG-Legacy|SV-111455, STIG-Legacy|V-102513, Vuln-ID|V-222965

Plugin: Unix

Control ID: 47a18e1b9a7a092c8605b4bc2ecbce00f9889d8996be7219050d6cfff2546840