Skip to content

Ensure schema is validated before applying changes.

389-CM-003 - severity: medium

Field Value
Control ID 389-CM-003
Severity medium
Type preventive
Owner IT Operations
Status authored
NIST 800-53 CM-3, CM-6
DISA SRG SRG-APP-000516

Rationale

When nsslapd-schemacheck is disabled, clients can write entries with arbitrary attributes, undefined object classes, or missing required attributes, producing directory data that cannot be reliably processed, replicated, or audited. This data integrity drift creates a gap between the intended directory model and the actual stored content, and can trigger unexpected behavior in directory-aware applications that assume conformant entries. More critically, an attacker or misconfigured application may inject entries using undefined object classes that bypass access-control evaluation logic in downstream consumers. Enforcing schema validation is a core configuration-management control - it bounds the data model to what was deliberately designed and prevents both accidental drift and deliberate injection of malformed entries. This control satisfies NIST SP 800-53 CM-3 (Configuration Change Control) and CM-6 (Configuration Settings), and is assessed by DISA SRG-APP-000516.

Check

Confirm that nsslapd-schemacheck is enabled in cn=config.

dsconf <instance> config get nsslapd-schemacheck

Expected: nsslapd-schemacheck: on

Remediation

Enable schema checking so that all LDAP write operations are validated against the registered schema.

dsconf <instance> config replace nsslapd-schemacheck=on

References

Implementation Notes

nsslapd-schemacheck is on by default in most 389DS installations, but it may have been disabled during initial population of legacy data or bulk imports from non-conformant sources. Confirm the current value before and after applying the fix. Enabling schema checking does not require a server restart; the change takes effect immediately for subsequent write operations. If enabling this control causes legitimate application writes to fail, the correct resolution is to register the missing schema elements (objectClasses or attributeTypes) under /etc/dirsrv/slapd-<instance>/schema/, not to leave checking disabled.