IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-215204	SRG-OS-000074-GPOS-00042	AIX7-00-001045	SV-215204r987796_rule	2024-08-16	3

Description
While LDAP client's authentication type is ldap_auth (server-side authentication), the client sends password to the server in clear text for authentication. SSL must be used in this case.

ℹ️ Check
Run the following command to check if "authtype" is "ldap_auth": # grep -iE "^authtype:[[:blank:]]ldap_auth" /etc/security/ldap/ldap.cfg The above command should yield the following output: authtype:ldap_auth Run the following command to check if SSL is not used in the "/etc/security/ldap/ldap.cfg" file: # grep -iE "^useSSL:[[:blank:]]yes" /etc/security/ldap/ldap.cfg The above command should yield the following output: useSSL:yes If the first command displays "authtype:ldap_auth" but the second command does not display "useSSL:yes", this is a finding.

ℹ️ Check

Run the following command to check if "authtype" is "ldap_auth": # grep -iE "^authtype:[[:blank:]]*ldap_auth" /etc/security/ldap/ldap.cfg The above command should yield the following output: authtype:ldap_auth Run the following command to check if SSL is not used in the "/etc/security/ldap/ldap.cfg" file: # grep -iE "^useSSL:[[:blank:]]*yes" /etc/security/ldap/ldap.cfg The above command should yield the following output: useSSL:yes If the first command displays "authtype:ldap_auth" but the second command does not display "useSSL:yes", this is a finding.

✔️ Fix
Edit the "/etc/security/ldap/ldap.cfg" file to have the following line: useSSL:yes Configure the LDAP server and LDAP client to use the SSL according to AIX LDAP documentation. Restart the client daemon: # restart-secldapclntd