logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure authentication method - LDAP - Elixir

Need

Secure communication with LDAP server

Context

  1. Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  2. Usage of Elixir's LDAP library for LDAP integration

Description

Insecure Code Example

defmodule MyApp.Insecure do
  @username 'username'
  @password 'password'
  def authenticate do
    :eldap.open(['ldap://example.com'])
    |> :eldap.simple_bind({@username, @password})
  end
end

In this insecure code example, we're connecting to an LDAP server without any encryption. The password is sent in plaintext over the network. An attacker who can listen to the network traffic can intercept the password.

Steps

  1. Use LDAP over SSL (LDAPS) to encrypt the network traffic.
  2. Bind all blind authentication connections to a separate LDAP server.
  3. When allowing connections from the internet, only allow blind authentication.

Secure Code Example

defmodule MyApp.Secure do
  @username 'username'
  @password 'password'
  def authenticate do
    :eldap.open(['ldaps://example.com'])
    |> :eldap.simple_bind({@username, @password})
  end
end

In this secure code example, we're connecting to the LDAP server over SSL. The network traffic, including the password, is encrypted. This prevents attackers from intercepting the password.

References

  • 397 - Insecure authentication method - LDAP

    • Last updated

    2023/09/18