Insecure authentication method - LDAP

Need

Secure communication with LDAP server

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Elixir's LDAP library for LDAP integration

Description

Non compliant code

defmodule MyApp.Insecure do
  @username 'username'
  @password 'password'
  def authenticate do
    :eldap.open(['ldap://example.com'])
    |> :eldap.simple_bind({@username, @password})
  end
end

In this insecure code example, we're connecting to an LDAP server without any encryption. The password is sent in plaintext over the network. An attacker who can listen to the network traffic can intercept the password.

Steps

Use LDAP over SSL (LDAPS) to encrypt the network traffic.
Bind all blind authentication connections to a separate LDAP server.
When allowing connections from the internet, only allow blind authentication.

Compliant code

defmodule MyApp.Secure do
  @username 'username'
  @password 'password'
  def authenticate do
    :eldap.open(['ldaps://example.com'])
    |> :eldap.simple_bind({@username, @password})
  end
end

In this secure code example, we're connecting to the LDAP server over SSL. The network traffic, including the password, is encrypted. This prevents attackers from intercepting the password.

References

397.Insecure authentication method - LDAP

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​