Configuring Systems to Prevent Eavesdropping

This appendix does not include procedure for configuring systems so that communication between systems is always conducted securely to prevent eavesdropping.

Some of the required configuration changes are addressed when you configure Identity Synchronization for Windows. For example, starting with Windows 2000, the password policies require that all password changes be made using secure methods. Consequently, simply configuring the Windows system partially addresses the security requirement.

However, eavesdroppers can still see the bind attempts when Identity Synchronization for Windows components replay bind credentials. To address this issue, you must configure Identity Synchronization for Windows to communicate securely with its Windows data source by configuring the Identity Synchronization for Windows Connectors to trust certificates offered by the Windows Active Directory system.

In addition, you must ensure that all clients authenticating to the LDAP store do so over TLS. You must configure PAM clients to trust the LDAP store and ensure that idsconfig specifies TLS:pam_ldap:simple as the only authentication method for the LDAP store.

The root accounts cannot use the passwd command arbitrarily to change a user’s password on PAM client. You might consider this restriction to be a limitation, depending on whether you trust the PAM client administrators.