1.1 Select an appropriate authentication mechanism - LDAP User Auth

Information

Sybase ASE provides multiple means of authenticating users. These include Sybase
proprietary authentication (username and password), Kerberos, LDAP user authentication
(LDAPUA), secure LDAPUA and PAM user authentication (PAMUA). The Sybase LDAPUA
implementation interoperates with LDAP v3 compliant servers such as Active Directory,
iPlanet and OpenLDAP.

Rationale:

The most appropriate authentication mechanism depends on how Sybase is used within
your organization. It is recommended that the System Security Officer consult the Sybase
ASE 15.0 Administration Guide, Volume 1, Chapter 16 (External Authentication) for a
discussion of the advantages and disadvantages of each.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. Set appropriate authentication mechanism in accordance with your organizations
security policy.

2. Ensure that the authentication mechanism is configured to not fallback to an
alternative mechanism unless your organizations security policy explicitly permits
this.

For LDAPUA this is accomplished by connecting to the ASE server as a user with the
sso_role and executing the following SQL statement:

exec sp_configure 'enable ldap user auth', 2

For PAMUA this is accomplished by connecting to the ASE server as a user with the
sso_role and executing the following SQL statement:

exec sp_configure 'enable pam user auth', 2

See Also

https://workbench.cisecurity.org/files/1612