To install and configure eDirectory, make sure to follow the installation instructions. For more information, see NetIQ eDirectory Installation Guide. After installation, check that the following conditions are met:
The Enhanced Background Authentication ( EBA) protocol is enabled so that traffic between servers is encrypted.
SNMP is disabled.
eDirectory is not listening on port 389.
LDAP and HTTP services are configured to use ECDSA certificates only.
Access to the SSH should be secure.
No other services should be configured in the system.
Additionally, make sure that the following security measures in place for secure eDirectory operations:
It is recommended removing the Browse right from the [Public] trustee at the top of the tree.
Recommend giving all users basic rights and privileges, such as compare and browse rights, but no read/write or supervisory rights.
For NMAS access control, provide strong passwords using password management utility in Identity Console. For more information, see Managing Login and Post-Login Methods and Sequences
To provide authentication access to eDirectory using NMAS login methods, see NMAS Functionality.
DSA access control: It is an important that only authorized users should have rights to perform certain operations, such as partitioning rights, server rights, ndscheck rights, backup/restore rights, NICI backup, and rights to perform certain operations in imonitor, as well as schema extension.
Proxied Authorization Control- Allows clients to specify an authorization identity for each operation. This feature is particularly helpful for clients who need to perform multiple operations on behalf of different users.
In PKI server, the administrator or authorized user should be provided specific entry rights to manage NetIQ Certificate Server. Recommended to provide rights over CA, issue certificates, CRL, revoking server certificate, and more. For more information, see Entry Rights Needed to Perform Tasks.
In the LDAP server attributes, check the rights of the “Anonymous user”. Recommendations to set the bind restrictions as per the requirements. For more information, see the ldapBindRestrictions attribute description in Configuring LDAP Objects.
The Access Control List (ACL) is also called the Object Trustees property in eDirectory. Whenever you make a trustee assignment, the trustee is added as a value to the Object Trustees (ACL) property of the target. This property has strong implications for network security, so you must be careful giving Add Self rights to all properties of a container object. That assignment makes it possible for the trustee to become Supervisor of that container, all objects in it, and all objects in containers beneath it.
Take note of the following recommendations:
List attributes which contain sensitive information and add rights to the Object Trustees (ACL) property to specific users or supervisors only.
Encrypt the attributes which contain sensitive information.
Assign the rights within eDirectory to perform tasks using Roles and Access Control (RAC) in Identity Console. When you assign a role to a user, RAC assigns the necessary rights to perform the tasks of that role. For more information on setting up RAC using Identity Console, see .
All operations related to certificates should be performed by the Admin user only. It is highly advised not to delegate this responsibility to any other user. In the event that it is delegated, the user should not have any other permissions in the tree.
The PKI has its own DIB and is secured using the Novell International Cryptographic Infrastructure (NICI).
Certificate Authority (CA) should be secured and only accessed by authorized users.
Take regular backups of the CA certificates.
Use Elliptic Curve (EC) certificates and the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) certificate. The use of RSA certificates, however, may not be recommended.
NICI is the cryptography module that provides keys, algorithms, various key storage and usage mechanisms, and a large-scale key management system. NICI controls the introduction of algorithms and the generation and use of keys. NICI allows a single commodity version of security products to be produced for worldwide consumption that supports strong cryptography and multiple cryptographic technologies. eDirectory is one of the service that is built on NICI infrastructure.
Take note of the following recommendations:
Secure all the file systems and ensure that non-admin users do not have permissions to access them.
Avoid having multiple trees on the same server.
Take regular backups of the NICI using the DSBK backup utility provided by eDirectory.
Upgrade the tree key to either 3DES or AES256.
Audit events related to logins, as well as operations such as add/modify/delete.
Use secure TLS for communication between eDirectory and the Auditing servers (such as Sentinel and ArcSight).
Enable Security Events to detect intruders and monitor logins.