diff --git a/doc/metadata/rhel7/RHEL-07-040180.rst b/doc/metadata/rhel7/RHEL-07-040180.rst index a87ed6d4..e5c805ef 100644 --- a/doc/metadata/rhel7/RHEL-07-040180.rst +++ b/doc/metadata/rhel7/RHEL-07-040180.rst @@ -1,7 +1,13 @@ --- id: RHEL-07-040180 -status: not implemented -tag: misc +status: exception - manual intervention +tag: auth --- -This STIG requirement is not yet implemented. +Deployers are strongly urged to utilize ``sssd`` for systems that authenticate +against LDAP or Active Directory (AD) servers. + +The ldap connector for ``sssd`` connects only to LDAP servers over +encrypted connections. Review the man page for +`sssd-ldap `_ for more details on this +requirement. diff --git a/doc/metadata/rhel7/RHEL-07-040181.rst b/doc/metadata/rhel7/RHEL-07-040181.rst index 3cc43ea2..51d236d5 100644 --- a/doc/metadata/rhel7/RHEL-07-040181.rst +++ b/doc/metadata/rhel7/RHEL-07-040181.rst @@ -1,7 +1,23 @@ --- id: RHEL-07-040181 -status: not implemented -tag: misc +status: exception - manual intervention +tag: auth --- -This STIG requirement is not yet implemented. +Deployers are strongly urged to utilize ``sssd`` for systems that authenticate +against LDAP or Active Directory (AD) servers. + +To meet this control, deployers must ensure that ``ldap_tls_cacert`` or +``ldap_tls_cacertdir`` are set in the ``/etc/sssd/sssd.conf`` file. The +``ldap_tls_cacert`` directive specifies a single certificate while +``ldap_tls_cacertdir`` specifies a directory where ``sssd`` can find CA +certificates. + +.. warning:: + + Use caution when adjusting these settings. If the correct CA certificates + are not already deployed to the servers that perform LDAP authentication, + their attempts to authenticate users might fail. + + Consult with administrators of the LDAP system and test all changes on + a non-production system first. diff --git a/doc/metadata/rhel7/RHEL-07-040182.rst b/doc/metadata/rhel7/RHEL-07-040182.rst index 91707d77..ed1b6308 100644 --- a/doc/metadata/rhel7/RHEL-07-040182.rst +++ b/doc/metadata/rhel7/RHEL-07-040182.rst @@ -1,7 +1,23 @@ --- id: RHEL-07-040182 -status: not implemented -tag: misc +status: exception - manual intervention +tag: auth --- -This STIG requirement is not yet implemented. +Deployers are strongly urged to utilize ``sssd`` for systems that authenticate +against LDAP or Active Directory (AD) servers. + +To meet this control, deployers must ensure that ``ldap_tls_cacert`` or +``ldap_tls_cacertdir`` are set in the ``/etc/sssd/sssd.conf`` file. The +``ldap_tls_cacert`` directive specifies a single certificate while +``ldap_tls_cacertdir`` specifies a directory where ``sssd`` can find CA +certificates. + +.. warning:: + + Use caution when adjusting these settings. If the correct CA certificates + are not already deployed to the servers that perform LDAP authentication, + their attempts to authenticate users might fail. + + Consult with administrators of the LDAP system and test all changes on + a non-production system first.