Insecure authentication method - LDAP - Elixir

Insecure authentication method - LDAP - Elixir

Need

Secure communication with LDAP server

Context

  • Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  • Usage of Elixir's LDAP library for LDAP integration

Description

Non compliant code

        defmodule MyApp.Insecure do
  @username 'username'
  @password 'password'
  def authenticate do
    :eldap.open(['ldap://example.com'])
    |> :eldap.simple_bind({@username, @password})
  end
end
        
        

In this insecure code example, we're connecting to an LDAP server without any encryption. The password is sent in plaintext over the network. An attacker who can listen to the network traffic can intercept the password.

Steps

  • Use LDAP over SSL (LDAPS) to encrypt the network traffic.
  • Bind all blind authentication connections to a separate LDAP server.
  • When allowing connections from the internet, only allow blind authentication.

Compliant code

        defmodule MyApp.Secure do
  @username 'username'
  @password 'password'
  def authenticate do
    :eldap.open(['ldaps://example.com'])
    |> :eldap.simple_bind({@username, @password})
  end
end
        
        

In this secure code example, we're connecting to the LDAP server over SSL. The network traffic, including the password, is encrypted. This prevents attackers from intercepting the password.

References