Ldap Secure Connection
Secure Ldap Authentication is required.
What does this mean ?
Many systems are integrated using the Lightweight Directory Access Protocol (LDAP) because it allows systems to use a centralized directory of user and computer information, allowing systems to be consistent and user-aware, and allowing users to access multiple services with the same set of credentials. An LDAP client authenticates to an LDAP server using a "bind request," which includes a basic authentication mechanism among other things.
What can happen ?
Anonymous and unauthenticated binds provide access to information in the LDAP directory without requiring a password; their usage is hence highly prohibited.
Recommendation
In LDAP, simple authentication may be utilized using three alternative mechanisms:
- Anonymous Authentication Mechanism is achieved by sending a bind request with a username and password length of zero.
- Unauthenticated Authentication Mechanism by performing a bind request with a password value of zero length.
- Name/Password Authentication Mechanism by performing a bind request with a password value of non-zero length.
Sample Code
Vulnerable :
DirectoryEntry myDirectoryEntry = new DirectoryEntry(adPath);
myDirectoryEntry.AuthenticationType = AuthenticationTypes.None; // Noncompliant
DirectoryEntry myDirectoryEntry = new DirectoryEntry(adPath, "u", "p", AuthenticationTypes.None); // Noncompliant
Non Vulnerable :
DirectoryEntry myDirectoryEntry = new DirectoryEntry(myADSPath); // Compliant; default DirectoryEntry.AuthenticationType property value is "Secure" since .NET Framework 2.0
DirectoryEntry myDirectoryEntry = new DirectoryEntry(myADSPath, "u", "p", AuthenticationTypes.Secure);
Vulnerable :
// Set up the environment for creating the initial context
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");
// Use anonymous authentication
env.put(Context.SECURITY_AUTHENTICATION, "none"); // Noncompliant
// Create the initial context
DirContext ctx = new InitialDirContext(env);
Non Vulnerable :
// Set up the environment for creating the initial context
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");
// Use simple authentication
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, getLDAPPassword());
// Create the initial context
DirContext ctx = new InitialDirContext(env);
Vulnerable :
$ldapconn = ldap_connect("ldap.example.com");
if ($ldapconn) {
$ldapbind = ldap_bind($ldapconn); // Noncompliant; anonymous authentication, no user/password provided
}
Non Vulnerable :
$ldaprdn = 'uname';
$ldappass = 'password';
$ldapconn = ldap_connect("ldap.example.com");
if ($ldapconn) {
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); // Compliant
}