Python Unauthenticated Ldap Bind
Description
Detects insecure LDAP connections in Python code where authentication is either missing or uses unsafe credentials. Unauthenticated LDAP binds can allow attackers to access or modify directory information without proper authentication, potentially exposing sensitive organizational data.
Detection Strategy
• Identifies LDAP connection operations using bind methods like 'simple_bind', 'simple_bind_s', 'bind', or 'bind_s'
• Checks if the LDAP bind operation is performed without proper authentication parameters
• Verifies the object is an LDAP connection instance
• Reports a vulnerability when an LDAP bind operation is found with missing or unsafe authentication credentials
Vulnerable code example
import ldap
# Noncompliant LDAP authentication examples
conn = ldap.initialize("ldap://example:389")
conn.simple_bind("cn=admin") # Vulnerable: No password specified
conn.bind("cn=admin", "secret123") # Vulnerable: Hardcoded credentials✅ Secure code example
import ldap
import os
from typing import Optional
def ldap_authenticate(username: str, password: Optional[str] = None) -> bool:
"""Secure LDAP authentication with environment variables and user credentials"""
try:
# Use TLS enabled LDAP URL...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.