Re: Center for Internet Security benchmark for OpenLDAP

[Howard Chu <hyc@symas.com>]

Buchan Milne wrote:
> I just wanted to note that the Center for Internet Security recently published 
> a security benchmark for OpenLDAP (based on 2.3):

Funny, I just stumbled over their page last night but didn't bother to 
register to download the doc.

> http://www.cisecurity.org/bench_openldap.html
>
> A lot of the content seems to cover standard practise (e.g. what you get by 
> default on most Linux distributions in terms of who slapd is run as, 
> permissions on important files etc.), but there seem to be some sections 
> worth reading.
>
> Unfortunately, they show configuration for slurpd in their section 
> on "Redundant LDAP Servers".
>
> I wonder if it is worthwhile providing CIS with feedback?

Now that you've pointed it out, I went and downloaded it. I find the quality 
of the editing of this document to be pretty abysmal, but the factual content 
is at least fixable. I'll be sending some feedback to the editor shortly.

As usual, if you want to know "best practices", the best way to get that is 
just to ask us or read the docs we've already written...
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/