Database Encryption - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

• Identify the smallest set of attributes on any given ACI.
When allowing or denying access to a subset of attributes on an object, determine whether the
smallest list is the set of attributes that are allowed or the set of attributes that are denied. Then
express the ACI so that it only requires managing the smallest list.
For example, the person object class contains a large number of attributes. To allow a user to
update only one or two of these attributes, write the ACI so that it allows write access for only those
few attributes. However, to allow a user to update all but one or two attributes, create the ACI so that
it allows write access for everything but a few named attributes.
• Use LDAP search filters cautiously.
Search filters do not directly name the object for which you are managing access. Consequently
their use can produce unexpected results. This is especially true as the directory becomes more
complex. Before using search filters in ACIs, run an ldapsearch operation using the same filter to
make clear what the results of the changes mean to the directory.
• Do not duplicate ACIs in differing parts of the directory tree.
Guard against overlapping ACIs. For example, if there is an ACI at the directory root point that
allows a group write access to the commonName and givenName attributes, and another ACI that
allows the same group write access for only the commonName attribute, then consider reworking the
ACIs so that only one control grants the write access for the group.
As the directory grows more complex, the risk of accidentally overlapping ACIs quickly increases.
By avoiding ACI overlap, security management becomes easier while potentially reducing the total
number of ACIs contained in the directory.
• Name ACIs.
While naming ACIs is optional, giving each ACI a short, meaningful name helps with managing the
security model, especially when examining ACIs from the Directory Server Console.
• Group ACIs as closely together as possible within the directory.
Try to limit ACI placement to the directory root point and to major directory branch points. Grouping
ACIs helps to manage the total list of ACIs, as well as helping keep the total number of ACIs in the
directory to a minimum.
• Avoid using double negatives, such as deny write if the bind DN is not equal to cn=Joe.
Although this syntax is perfectly acceptable for the server, it is confusing for a human administrator.

8.8. Database Encryption

Information is stored in a database in plain text. Consequently, some extremely sensitive information,
such as government identification numbers or passwords, may not be sufficiently protected by access
control measures. It may be possible to gain access to a server's persistent storage files, either
directly through the file system or by accessing discarded disk drives or archive media.
Database encryption allows individual attributes to be encrypted as they are stored in the database.
When configured, every instance of a particular attribute, even index data, is encrypted and can only
be accessed via a secure channel, such as SSL/TLS.
Database Encryption
133