Profile Applicability:
 • Level 2

Description:
 LDAP clients enable systems to communicate with LDAP directories for authentication and directory services. If LDAP client functionality is not required, the client packages should be removed to reduce the attack surface and potential vulnerabilities.

Rationale:
 Removing unnecessary LDAP client packages limits exposure to network-based attacks and reduces potential misconfigurations or unauthorized directory access.

Impact:
 Pros:

  • Reduces risk associated with unused network services.

  • Minimizes system complexity and potential attack vectors.

Cons:

  • Removing LDAP client may impact systems relying on centralized authentication.

Default Value:
 LDAP client packages may be installed by default on some systems.

Pre-requisites:

  • Root or sudo privileges to uninstall packages.

Remediation:

Test Plan:

Using Linux command line:

1. Check if LDAP client is installed:

RPM-based systems:

rpm -q openldap-clients

Debian-based systems:

dpkg -l | grep ldap-utils

2. Confirm presence of LDAP client packages.

Implementation Plan:

Using Linux command line:

1. Remove LDAP client packages if installed:

RPM-based:

yum remove openldap-clients -y

Debian-based:

apt remove ldap-utils -y

2. Verify removal:

rpm -q openldap-clients  # or dpkg -l | grep ldap-utils

Backout Plan:

Using Linux command line:

1. Reinstall LDAP client if needed:

RPM-based:

yum install openldap-clients -y

Debian-based:

apt install ldap-utils -y

2. Confirm successful installation.

References: