ApacheDS must be hardened around LDAP transport security and admin access controls.\n\n## LDAP and Kerberos Controls\n\n- Require TLS for LDAP client and admin operations.\n- Disable insecure bind methods and anonymous access where possible.\n- Restrict Kerberos and LDAP service ports to trusted networks.\n\n## Configuration and Audit\n\n- Protect configuration partition from unauthorized writes.\n- Log bind failures and privilege changes.\n- Patch JVM and ApacheDS versions regularly.