Details
JNDIRealm is an implementation of the Tomcat Realm interface. Tomcat uses the JNDIRealm to look up users in an LDAP directory server. The realm’s connection to the directory is defined by the ‘connectionURL’ configuration attribute. This attribute is usually an LDAP URL that specifies the domain name of the directory server to connect to.
The LDAP URL does not provide encryption by default. This can lead to authentication credentials being transmitted across network connections in clear text.
To address this risk, Tomcat must be configured to use secure LDAP (LDAPS).
Solution
Identify the server IP that is providing LDAP services and configure the Tomcat user roles schema within LDAP. Refer to the manager and host-manager web.xml files for application specific role information that can be used for setting up the roles for those applications. The default location for these files is: $CATALINA_BASE/webapps/
From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.
Locate the
EXAMPLE:
This is for illustration purposes only. The user must modify the LDAP settings on a case by case basis as per your individual LDAP server and schema.
userPattern=’uid={0},ou=people,dc=myunit,dc=mil’
roleBase=’ou=groups,dc=myunit,dc=mil’
roleName=’cn’
roleSearch='(uniqueMember={0})’
/>
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.
References
- 800-53|IA-5(1)(c)
- CAT|I
- CCI|CCI-000197
- Rule-ID|SV-222965r615938_rule
- STIG-ID|TCAT-AS-000690
- STIG-Legacy|SV-111455
- STIG-Legacy|V-102513
- Vuln-ID|V-222965