ldap injection

  • Thread starter Jeff - Burly Systems
  • Start date
J

Jeff - Burly Systems

Any issues / advice guarding against ldap injection when doing a
simple pass/fail ldap auth using Net::LDAP#auth and #bind for
client-supplied uid and pss?

(Francis et al, ..., Thanks for all the great work on ruby-net-ldap.)

I'm thinking of doing something like the following:

...
def ldap_auth(uid, pss)
return false if not uid or not pss

stripped_uid = uid.gsub(/[^a-zA-Z0-9._-]+/i, '') # locale is en_US.UTF-8
return false if stripped_uid != uid

was_authd = false
usr = "uid=#{uid},ou=people,dc=mydomain,dc=com"
ldap = Net::LDAP.new
ldap.host = "myldapserver"
ldap.port = 389
ldap.auth usr, pss
was_authd = true if ldap.bind

return was_authd
end
...

Thanks,

Jeff
 
J

Jeff - Burly Systems

By ldap injection (
http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml
), I was talking about potential security vulnerabilities, similar to
sql injection ( http://manuals.rubyonrails.com/read/chapter/43 )
attacks, and was wondering if Net::LDAP implemented anything internal
(similar to the use of ? in sql query strings in ruby-dbi or
ActiveRecord ) to help prevent such., or if I needed to test for and
attempt to cleanse any such potentially malicious user input
(especailly in regards to uid) before using Net::LDAP.

I'll check out bind_as tho. Thanks,

Jeff
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

LDAP Authentication with Username 1
net ldap problem? 1
Simple LDAP query 4
LDAP bind error 2
ruby net ldap bind issue 1
Ruby-net-ldap fail 11
net::ldap - add_attribute 5
ruby-net-ldap paged search control 0

Members online

Total: 59 (members: 2, guests: 57)
Robots: 425

Forum statistics

Threads
473,968
Messages
2,570,153
Members
46,699
Latest member
AnneRosen

Latest Threads

Top