ldap injection

Jeff - Burly Systems · Aug 24, 2007

Any issues / advice guarding against ldap injection when doing a
simple pass/fail ldap auth using Net::LDAP#auth and #bind for
client-supplied uid and pss?

(Francis et al, ..., Thanks for all the great work on ruby-net-ldap.)

I'm thinking of doing something like the following:

...
def ldap_auth(uid, pss)
return false if not uid or not pss

stripped_uid = uid.gsub(/[^a-zA-Z0-9._-]+/i, '') # locale is en_US.UTF-8
return false if stripped_uid != uid

was_authd = false
usr = "uid=#{uid},ou=people,dc=mydomain,dc=com"
ldap = Net::LDAP.new
ldap.host = "myldapserver"
ldap.port = 389
ldap.auth usr, pss
was_authd = true if ldap.bind

return was_authd
end
...

Thanks,

Jeff

Jeff - Burly Systems · Aug 24, 2007

By ldap injection (
http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml
), I was talking about potential security vulnerabilities, similar to
sql injection ( http://manuals.rubyonrails.com/read/chapter/43 )
attacks, and was wondering if Net::LDAP implemented anything internal
(similar to the use of ? in sql query strings in ruby-dbi or
ActiveRecord ) to help prevent such., or if I needed to test for and
attempt to cleanse any such potentially malicious user input
(especailly in regards to uid) before using Net::LDAP.

I'll check out bind_as tho. Thanks,

Jeff

LDAP Authentication with Username	1	Apr 23, 2010
net ldap problem?	1	Aug 31, 2010
Simple LDAP query	4	Oct 29, 2008
LDAP bind error	2	Oct 8, 2007
ruby net ldap bind issue	1	Jun 26, 2009
Ruby-net-ldap fail	11	Jul 31, 2009
net::ldap - add_attribute	5	Feb 2, 2007
ruby-net-ldap paged search control	0	Aug 27, 2009

ldap injection

Jeff - Burly Systems

Jeff - Burly Systems

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads