Jump to: navigation, search

Security Considerations

Important
When using LDAP servers in a secure environment, all LDAP servers must use SSL server certificates issued by the same certificate authority or subordinate authorities of the same public root authority. Configuration Server must be provisioned (using the cacert-path option cacert-path) with a certificate of authority (or chain of certificates) that can validate all server SSL certificates.

If mutual authentication is required on connections to LDAP servers, Configuration Server must be provisioned (using the cert-path and key-path key-path options) with the same local certificate that is accepted by all LDAP servers.

Genesys does not support specifying different client certificates (and/or certificate authority certificates), for different connections.

In addition, Genesys strongly recommends that you do the following:

  • Set the Genesys URL used to access LDAP to use LDAPS (secure LDAP) protocol.
  • Configure your LDAP server to prevent anonymous or unauthenticated access. For example, do not configure LDAP users with blank or empty passwords. This is in addition to not configuring users with empty passwords in the Configuration Database, as described on [[LDAPExternalAuthentication# |]].
  • Configure your LDAP server to prevent the directory base being set to null.
  • Restrict knowledge of the structure of your LDAP data. For example, some of this information is contained in the External ID field of User objects in the Configuration Database. Therefore, a user who has access to these objects could figure out the LDAP structure.

For more information and recommendations for securing your LDAP environment, refer to the LDAP benchmarks published by the Center for Internet Security and available on the Center’s web site.

This page was last edited on August 1, 2014, at 14:25.
Comments or questions about this documentation? Contact us for support!