Insecure authentication method - LDAP
Need
Secure communication with LDAP server
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Elixir's LDAP library for LDAP integration
Description
Non compliant code
defmodule MyApp.Insecure do
@username 'username'
@password 'password'
def authenticate do
:eldap.open(['ldap://example.com'])
|> :eldap.simple_bind({@username, @password})
end
end
In this insecure code example, we're connecting to an LDAP server without any encryption. The password is sent in plaintext over the network. An attacker who can listen to the network traffic can intercept the password.
Steps
- Use LDAP over SSL (LDAPS) to encrypt the network traffic.
- Bind all blind authentication connections to a separate LDAP server.
- When allowing connections from the internet, only allow blind authentication.
Compliant code
defmodule MyApp.Secure do
@username 'username'
@password 'password'
def authenticate do
:eldap.open(['ldaps://example.com'])
|> :eldap.simple_bind({@username, @password})
end
end
In this secure code example, we're connecting to the LDAP server over SSL. The network traffic, including the password, is encrypted. This prevents attackers from intercepting the password.