Insecure authentication method

Insecure authentication method - LDAP

Need

Secure communication with LDAP server

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications

• Usage of Elixir's LDAP library for LDAP integration

Description

1. Non compliant code

defmodule MyApp.Insecure do
  @username 'username'
  @password 'password'
  def authenticate do
    :eldap.open(['ldap://example.com'])
    |> :eldap.simple_bind({@username, @password})
  end
end

In this insecure code example, we're connecting to an LDAP server without any encryption. The password is sent in plaintext over the network. An attacker who can listen to the network traffic can intercept the password.

2. Steps

• Use LDAP over SSL (LDAPS) to encrypt the network traffic.

• Bind all blind authentication connections to a separate LDAP server.

• When allowing connections from the internet, only allow blind authentication.

3. Secure code example

defmodule MyApp.Secure do
  @username 'username'
  @password 'password'
  def authenticate do
    :eldap.open(['ldaps://example.com'])
    |> :eldap.simple_bind({@username, @password})
  end
end

In this secure code example, we're connecting to the LDAP server over SSL. The network traffic, including the password, is encrypted. This prevents attackers from intercepting the password.

References

• 397. Insecure authentication method - LDAP

On this page