V-3862{5,6,7}: LDAP server security

Implements: blueprint security-hardening

Change-Id: Ia36dc2c5f65b82a5756f2f221cebfb7b6bab1912

doc/source/developer-notes/V-38625.rst

@@ -0,0 +1,8 @@
+**Exception**
+
+Neither Ubuntu 14.04 or openstack-ansible configures LDAP authentication by
+default. Deployers that use LDAP authentication for systems are strongly
+urged to use TLS connectivity between client hosts and LDAP servers to
+prevent eavesdroppers on the network from reading the authentication attempts
+as they are made. The certificates on the LDAP server must be trusted by
+each client.

doc/source/developer-notes/V-38626.rst

@@ -0,0 +1 @@
+V-38625.rst

doc/source/developer-notes/V-38627.rst

@@ -0,0 +1,8 @@
+The STIG requires that any LDAP server packages on the system are removed.
+The Ansible role will remove ``slapd`` from the server if it is present.
+
+To opt-out of this change, set the following Ansible variable to ``no``:
+
+.. code-block:: yaml
+
+   remove_services['ldap-server']: no

openstack-ansible-security/defaults/main.yml

@@ -44,11 +44,12 @@ disable_services:
 # boolean to 'no' means that the playbook will not alter the service.
 #
 remove_services:
-  ypserv: yes                                     # V-38603
   rsh-server: yes                                 # V-38591
+  ldap-server: yes                                # V-38627
   telnet_server: yes                              # V-38587
   tftp-server: yes                                # V-38606
   xinetd: yes                                     # V-38584
+  ypserv: yes                                     # V-38603
 
 ## Additional rules for auditd
 # The following booleans control the rule sets added to auditd's default

openstack-ansible-security/tasks/services.yml

@@ -118,3 +118,13 @@
     - services
     - cat3
     - V-38618
+
+- name: V-38627 - Remove LDAP servers unless required
+  apt:
+    name: slapd
+    state: absent
+  when: remove_services['ldap-server'] | bool
+  tags:
+    - services
+    - cat3
+    - V-38627