On 9/28/07, Howard Chu <[EMAIL PROTECTED]> wrote: > Buchan Milne wrote: > > On Thursday 27 September 2007 20:09:19 Howard Chu wrote: > >>> Unfortunately, they show configuration for slurpd in their section > >>> on "Redundant LDAP Servers". > >>> > >>> I wonder if it is worthwhile providing CIS with feedback? > >> Now that you've pointed it out, I went and downloaded it. I find the > >> quality of the editing of this document to be pretty abysmal, but the > >> factual content is at least fixable. I'll be sending some feedback to the > >> editor shortly. > >> > >> As usual, if you want to know "best practices", the best way to get that is > >> just to ask us or read the docs we've already written... > > > > Indeed, but unfortunately our esteemed security group bases their security > > standards on the CIS benchmarks (usually their changes reduce the technical > > quality at the expense of formatting etc.), so I suspect at some stage I'll > > be getting questions about an OpenLDAP standard (and I'll probably have to > > fix it up more than I have the Linux one ...). > > Understood. As Tony pointed out, when I said "when you want to know" I of > course > meant "when one wants to know" because obviously you, Buchan, already know > what > you're doing. > > For anyone curious, here's their document as plaintext with my commentary > inserted. > > Howard Chu wrote: > > You really ought to run articles like this by us before publishing, to be > sure > > you've got all the facts correct. > > > >> Center for Internet Security Benchmark for OpenLDAP v1.0 > > > >> Introduction LDAP stands for Lightweight Directory Access Protocol > defined > >> in RFC 2251 and others and is based on X.500 directory services. LDAP > >> servers are very popular including commercial servers such as Microsoft > >> Active Directory, IBM Tivoli Directory Server, Novell eDirectory, and Sun > >> Java System Directory Server. OpenLDAP is the most popular of the open > >> source LDAP servers. LDAP servers are just one part of a typical network > >> infrastructure, and their security depends in part on the security of the > >> rest of the infrastructure. However this benchmark will focus primarily on > >> the secure configuration of the OpenLDAP server. > >> > >> Applicability > >> The benchmark was developed and tested using OpenLDAP version > >> 2.3 on Fedcora Core 6, however most of the content will apply to other ...
Thanks for reproducing this document. I'm glad I didn't fill anything out to download it. Am I the only one who noticed this: <quote> What is the Benchmark? The Benchmark is a compilation of security configuration actions and settings that "harden" MySQL databases. It recommends Level 1 Benchmark guidance, representing the prudent level of minimum due care for operating system security. </quote> ? >From this example, I would have to recommend strongly against following the advice of this site.
