...
The default OpenLDAP installation with the configuration files generated by Ubisecure configures a root account with full privileges to the LDAP directory. This account is not used by Ubisecure software at run-time. In a secured production environment this account should be disabled. The easiest way to accomplish this is to simply comment out the rootdn and rootpw lines in the file /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/<suffix>.conf. The configuration file is in the form cn=Ubilogin,dc=localhost.conf.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
database bdb
directory "/usrc/local/ubisecure/..."
suffix "..." #
rootdn "uid=System,ou=System,..." #
rootpw {SSHA}...
|
The OpenLDAP server must be restarted after modifying the <suffix>.conf file. Issue the following commands to restart the OpenLDAP server:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
/etc/init.d/ubilogin-directory restart |
...
Review all OAuth2 agents. Any unused OAuth2 grant types should be disabled for each agent. The example below allows only SAML2 bearer and authorization_code grant types. This setting is made in the Agent Metadata value of the agent.
| Code Block | theme | RDark|
|---|---|---|
| ||
{"return_uris":["https://app.example.com/return/oauth"],"grant_types":["urn:ietf:params:oauth:grant-type:saml2-bearer","authorization_code"]} |
...
When moving an agent to production, review return_uris value in the OAuth2 metadata and allow only secure addresses.
| Code Block | theme | RDark|
|---|---|---|
| ||
{"return_uris":["https://app.example.com/return/oauth"],"grant_types":["urn:ietf:params:oauth:grant-type:saml2-bearer","authorization_code"]} |
...