Bind 389DS to specific IP addresses only to limit exposure.
389-NS-004 - severity: medium
| Field | Value |
|---|---|
| Control ID | 389-NS-004 |
| Severity | medium |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | SC-7 |
| DISA SRG | SRG-APP-000142 |
Rationale¶
By default, 389 Directory Server binds nsslapd-listenhost and
nsslapd-securelistenhost to all available interfaces (0.0.0.0), which means
the LDAP and LDAPS ports are reachable on every network the host is connected
to - including management, storage, or backup networks that have no legitimate
need to carry directory traffic. An attacker or misconfigured client on any of
those segments can reach the authentication service, probe the directory
schema, or attempt bind attacks without traversing any firewall boundary.
Restricting the listen address to a specific management or service IP
eliminates that exposure at the process level, ensuring the directory is
unreachable from unintended network segments even if host-based firewall
rules are misconfigured or temporarily disabled. This implements the
network-boundary protection principle of NIST SP 800-53 SC-7 and contributes
to satisfying DISA SRG-APP-000142.
Check¶
Check which interfaces the server binds for LDAP and LDAPS.
dsconf <instance> config get nsslapd-listenhost nsslapd-securelistenhost
Remediation¶
Bind the secure listener to a specific management IP and restart.
dsconf <instance> config replace nsslapd-securelistenhost=<bind_ip>
dsctl <instance> restart
References¶
Implementation Notes¶
The chosen IP address must be present and configured on a host interface
before restarting the server; if the address is absent at startup, 389DS will
fail to bind and the instance will not start. Changing the listen host
requires a full server restart to take effect. When managing both plain LDAP
and LDAPS traffic separately, set nsslapd-listenhost in addition to
nsslapd-securelistenhost as needed.