[Fedora-directory-users] TLS authentication

[Adams Samuel D Contr AFRL/HEDR]

Basically I am trying to use FDS for LDAP authentication for centralized
authentication on my Linux network and a need to make sure that it is
secure.  I figured that enabling TLS for authentication would be a good
start.  I read the Red Hat Directory Server administrator guide chapter
on TLS and followed the howto at
http://directory.fedora.redhat.com/wiki/Howto:SSL.  It looks like I have
TLS enabled because I can get my Linux clients using the OpenLDAP PAM
module to authenticate with TLS enabled, but my LDAP server will also
let them authenticate without TLS!  

If someone authenticates without TLS, does that mean that their login
credentials are being passed in the clear?  

How do I make the FDS to only allow TLS authentication?

My basic goal is to make this secure.  

I also have two medium vulnerabilities the keep popping up with ISS that
I need to resolve but can't seem to find the proper configuration in the
admin console. 

" LDAP NullBind: LDAP anonymous access to directory

The NULL bind entry allows a user to access the Lightweight Directory
Access Protocol (LDAP) directory anonymously. An attacker could take
advantage of the NULL bind entry to anonymously view files on the LDAP
director.
Remedy:
Disable the NULL bind entry or control the entry with Access Control
Lists (ACLs).
References:"

--and--

" LDAP Schema: LDAP schema information gathering

An attacker could access the Lightweight Directory Access Protocol
(LDAP) schema to gain information about the LDAP server. The LDAP server
dumps its schema, which can show all necessary attributes needed for an
object, including hidden or non-readable attributes. An attacker could
use this information to access directory listings and plan further
attacks.
Remedy:
Disable the cn=schema entry or allow only authorized users to view the
entry.
References:"

Any recommendations on any of these points would be helpful...  Thanks,

Sam Adams
General Dynamics - Information Technology