By: Cedric Ferraris user 24 Oct 2018 at 12:14 p.m. CDT

2 Responses

Hello, I am following on this closed [ticket](https://support.gluu.org/installation/6040/securityhardening-best-practices/) and was wondering if removing the ox-ldap.properties file should also be included in your best practices [guide](https://gluu.org/docs/ce/3.1.4/operation/security/), since I can see it contains the bindDN and bindPassword of the local LDAP (similar to what is suggested for setup.properties.last) ? Thanks

CentOS 7.0

closed

By Aliaksandr Samuseu staff 24 Oct 2018 at 12:27 p.m. CDT

Copy

Hi, Cedric. If you're talking about `/etc/gluu/conf/ox-ldap.properties` then no, you must not delete it - it's a vital piece of configuration and you'll break your instance. You are right, most of the sensitive credentials data located in `setup.properties.last` is still present on disk in different configuration files, either in plain text, or reversibly-encrypted. There is no easy way around it as different components need to have access to it. So the only point in removing that file is to make it harder for a malicious user to retrieve this data.

By Cedric Ferraris user 24 Oct 2018 at 12:47 p.m. CDT

Copy

Ok, thanks for the explanation. I believe the bindPassword in ox-ldap.properties is encrypted anyway.

You need to Login in order to post an answer

Security best practices v2

By: Cedric Ferraris user 24 Oct 2018 at 12:14 p.m. CDT

Answers

By Aliaksandr Samuseu staff 24 Oct 2018 at 12:27 p.m. CDT

By Cedric Ferraris user 24 Oct 2018 at 12:47 p.m. CDT

Post an answer