Enforce session timeout for idle users.
389-AC-005 - severity: medium
| Field | Value |
|---|---|
| Control ID | 389-AC-005 |
| Severity | medium |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | AC-12 |
| DISA SRG | SRG-APP-000190 |
Rationale¶
Idle LDAP connections left open indefinitely present two distinct risks: an attacker with access to the network segment can hijack an established but dormant TCP session to impersonate the authenticated client without re-supplying credentials; additionally, large numbers of stale connections consume file-descriptors and memory, which can exhaust server resources and cause denial-of-service for legitimate clients. Setting nsslapd-idletimeout forces the server to tear down connections that have carried no traffic for the configured period, eliminating both the hijacking window and the resource drain. A value of 0 disables the timeout entirely and must never be used in production. NIST AC-12 requires session termination after a defined period of inactivity; DISA SRG-APP-000190 enforces this for covered applications. See also 389-SH-002, which covers administrative session timeouts and should be set consistently with this control.
Check¶
Verify that the server-wide idle connection timeout is set to 900 seconds (15 minutes) or less.
dsconf <instance> config get nsslapd-idletimeout
Expected: nsslapd-idletimeout: 900
Remediation¶
Set the server-wide idle connection timeout to 900 seconds.
dsconf <instance> config replace nsslapd-idletimeout=900
References¶
Implementation Notes¶
nsslapd-idletimeout is a server-wide setting applied in seconds; 900 (15 minutes) is the recommended baseline - reduce it to 600 for higher-security environments. Per-user idle timeout overrides can be set via the nsIdleTimeout operational attribute on individual user entries, which takes precedence over the global value; audit user entries for this attribute if compliance requires a uniform timeout. The dsconf config replace command takes effect immediately for new idle-checking cycles without a server restart. Note the relationship with 389-SH-002: that control covers the administrative (console/CLI) session timeout, while this control covers the LDAP protocol-level idle timeout for all client connections.