Any issues / advice guarding against ldap injection when doing a
simple pass/fail ldap auth using Net::LDAP#auth and #bind for
client-supplied uid and pss?
(Francis et al, …, Thanks for all the great work on ruby-net-ldap.)
I’m thinking of doing something like the following:
…
def ldap_auth(uid, pss)
return false if not uid or not pss
stripped_uid = uid.gsub(/[^a-zA-Z0-9._-]+/i, ‘’) # locale is
en_US.UTF-8
return false if stripped_uid != uid
was_authd = false
usr = “uid=#{uid},ou=people,dc=mydomain,dc=com”
ldap = Net::LDAP.new
ldap.host = “myldapserver”
ldap.port = 389
ldap.auth usr, pss
was_authd = true if ldap.bind
return was_authd
end
…
Thanks,
Jeff
On 8/23/07, Jeff - Burly S. [email protected] wrote:
Any issues / advice guarding against ldap injection when doing a
simple pass/fail ldap auth using Net::LDAP#auth and #bind for
client-supplied uid and pss?
I’m not clear on what you mean by “ldap injection.” Are you having
concerns
relating to security?
Look at the Net::LDAP#bind_as function. You can do some of this (not the
uid
scrub) in fewer steps.
On 8/24/07, Jeff - Burly S. [email protected] wrote:
I’ll check out bind_as tho. Thanks,
It’s always a good idea to scrub user input anyway. In your example,
you’re
getting a string from the user that might be crafted to carry an attack.
In
your code, the string will get passed to an LDAP bind, not a search. If
the
attacker doesn’t provide a correct authentication, he won’t get
anywhere.
Assuming proper access controls in your directory, subsequent search
requests will only retrieve data that the authenticated user is allowed
to
see. Also assuming proper access control, the user won’t be able to add,
change or delete data.
Net::LDAP has an API for constructing filters that allows you to build
them
up branch by branch. If you’re concerned about maliciously-crafted
search
filters, use that API and scrub the incoming data carefully.
Bottom line, if your directory is badly designed, you can be vulnerable.
Without knowing your specifics, I can’t give advice beyond that.
By ldap injection (
http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml
), I was talking about potential security vulnerabilities, similar to
sql injection ( Peak Obsession )
attacks, and was wondering if Net::LDAP implemented anything internal
(similar to the use of ? in sql query strings in ruby-dbi or
ActiveRecord ) to help prevent such., or if I needed to test for and
attempt to cleanse any such potentially malicious user input
(especailly in regards to uid) before using Net::LDAP.
I’ll check out bind_as tho. Thanks,
Jeff