Skip to content

Enforce session timeouts for idle admin sessions

389-SH-002 - severity: medium

Field Value
Control ID 389-SH-002
Severity medium
Type preventive
Owner IT Operations
Status authored
NIST 800-53 AC-12
DISA SRG SRG-APP-000190, SRG-APP-000295

Rationale

Authenticated LDAP connections that are left idle but not closed retain their bound identity for the full lifetime of the connection. An attacker who gains access to a forgotten authenticated session - through a hijacked socket, a shared terminal, a compromised client host, or a TCP session-fixation condition - can perform privileged directory operations without possessing any credentials. Long-lived idle connections also consume server-side file descriptors and thread pool slots, creating a denial-of-service path on busy installations. Configuring a server-wide idle timeout causes 389DS to automatically terminate connections that have been inactive beyond the defined threshold, bounding the exploitation window for any compromised session to a known maximum duration. This control satisfies the session-termination requirements of NIST SP 800-53 AC-12 and is assessed by DISA SRG-APP-000190 (session lock) and SRG-APP-000295 (session termination).

Check

Confirm the server-wide idle connection timeout is set to a non-zero value.

dsconf <instance> config get nsslapd-idletimeout

Remediation

Set the server-wide idle timeout to 3600 seconds (1 hour).

dsconf <instance> config replace nsslapd-idletimeout=3600

References

Implementation Notes

nsslapd-idletimeout is a global setting that applies to all authenticated connections handled by this instance; the value is specified in seconds, and 0 disables the timeout entirely (which is the insecure default). The change takes effect for newly established connections without a server restart - existing connections are not immediately terminated. For finer-grained control, you can set the per-user operational attribute nsIdleTimeout on individual user entries to override the global value for specific accounts (such as service accounts that legitimately require long-lived connections). Set the parameter value to match your organizational session policy; the example value of 3600 (1 hour) is a common baseline.