IBM i Global

 View Only

  • 1.  Hardening LDAP on IBM i

    Posted 24 days ago
    Reply

    What actions or configurations can I perform to harden the LDAP protocol on the IBM i?



    ------------------------------
    Sebastian Bornand Fuentes
    ------------------------------


  • 2.  RE: Hardening LDAP on IBM i

    Posted 20 days ago
    Reply

    Can you clarify it more?

    Are you running full LDAP service on IBMi, or LDAP on IBMi is used only for Single Sign On



    ------------------------------
    Bartlomiej Grabowski
    IBM Champion - Platinum Redbook Author and Principal System Specialist
    ------------------------------

    Original Message


  • 3.  RE: Hardening LDAP on IBM i

    Posted 20 days ago
    Reply

    It is intended to be used for SSO on the IBM i



    ------------------------------
    Sebastian Bornand Fuentes
    ------------------------------

    Original Message


  • 4.  RE: Hardening LDAP on IBM i

    Posted 19 days ago
    Reply

    Thank you for clarification. 

    We use SSO heavily too. What exact concern you have with SSO. As long as someone have *ALLOBJ authority he/she can cause lot of troubles anyway. 



    ------------------------------
    Bartlomiej Grabowski
    IBM Champion - Platinum Redbook Author and Principal System Specialist
    ------------------------------

    Original Message


  • 5.  RE: Hardening LDAP on IBM i

    Posted 19 days ago
    Reply

    I am looking for security measures I can apply to prevent the protocol from being used as a potential attack vector.



    ------------------------------
    Sebastian Bornand Fuentes
    ------------------------------

    Original Message


  • 6.  RE: Hardening LDAP on IBM i

    Posted 18 days ago
    Reply

    Dear Sebastian

    I find that the following 2 articles suggest that Channel Binding and LDAP Signing are important for hardening LDAP.  Automate LDAP hardening in optional as an additional measure.



    ------------------------------
    Satid S
    ------------------------------

    Original Message


  • 7.  RE: Hardening LDAP on IBM i

    Posted 14 days ago
    Reply

    I would recommend a few things.  One, you can turn off non-TLS access to LDAP.  389 is in the clear, 636 is TLS.  When you are using LDAP for SSO, there are no real user accounts in LDAP besides CN=Administrator.  This is an application level profile.  This means you should have a strong password set on it.  You should not have LDAP OS Profile Projection turned on.  And finally, you need to secure your OS accounts with a strong password on the IBM i side.



    ------------------------------
    Robert Andrews
    Principal Security Consultant
    Rochester
    +1-507-253-4205
    ------------------------------

    Original Message