2.2.6 Ensure LDAP server is not enabled (Scored)
Profile Applicability
Level 1 - Server Level 1 - Workstation
Description
The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database.
Rationale
If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface.
Audit
Run the following commands to verify slapd is not enabled:
# systemctl is-enabled slapd disabled
Verify result is not “enabled”.
Remediation
Run the following command to disable slapd:
# systemctl disable slapd
References
For more detailed documentation on OpenLDAP, go to the project homepage at http://www.openldap.org.