This section is intended to help eDirectory administrators, designers, and implementers with configuration guidelines for eDirectory. These recommendations can help enhance the security of an eDirectory environment.
NetIQ recommends that you read the product documentation, eDirectory TIDS, Cool Solutions, and Knowledge Base articles and stay up to date on patches and versions of both eDirectory and the host operating system regularly.
eDirectory servers should be protected behind a firewall. Open the NetWare Core Protocol (NCP) port (the default is 524) in the firewall to allow communication with other eDirectory servers in the tree. If required, you can open the LDAPS port 636. Anonymous access and clear text LDAP port 389 should be disabled.
Keep the servers in a physically secure location and restrict access to only authorized personnel.
The system hosting the eDirectory server should have the latest operating system updates and security patches.
The system hosting the eDirectory server should not have any other services running except for SSH. In addition, the SSH server must be configured with strong ciphers.
If SSH is enabled, it is recommended that the SSH server logs be regularly audited for any unexpected activity.
For configuring and running eDirectory, the system should have a non-administrative account. There should be no other user accounts besides the non-administrative account and the root user with shell access to the system.
An intrusion detection system should be utilized to alert the administrator of any unexpected behavior.
We recommend that you configure eDirectory server to run with non-administrator user privileges whose credentials are rotated frequently.
The administrator should not change the file permissions of the NICI and eDirectory data files to provide more access than what is provided by default.
NICI and eDirectory data backups should be password-protected. The backup should be stored securely, and access to it should be restricted and monitored.
Enable Enhanced Background Authentication (EBA) on all eDirectory servers to encrypt synchronization traffic.
Administrator accounts should not be used by applications that require eDirectory authentication. We recommend creating and using service accounts with restricted access for this reason.
We recommend that you generate an AES 256-bit tree key and re-encrypt passwords with it.
We recommend that you disable Universal Password and enable Password Based Key Derivation Function 2 (PBKDF2) hashes of passwords in the following conditions:
If you are using eDirectory without Identity Manager.
If you do not require user password retrieval.
If Universal Password is required, it should be enabled only for the users who need it, not for the whole tree.
Configure password policies to enforce:
Strong passwords
Changing passwords periodically and frequently
Password history