Asp Forum - ldap injection

Jeff - Burly Systems

8/24/2007 1:30:00 AM

Any issues / advice guarding against ldap injection when doing a
simple pass/fail ldap auth using Net::LDAP#auth and #bind for
client-supplied uid and pss?

(Francis et al, ..., Thanks for all the great work on ruby-net-ldap.)

I'm thinking of doing something like the following:

...
def ldap_auth(uid, pss)
return false if not uid or not pss

stripped_uid = uid.gsub(/[^a-zA-Z0-9._-]+/i, '') # locale is en_US.UTF-8
return false if stripped_uid != uid

was_authd = false
usr = "uid=#{uid},ou=people,dc=mydomain,dc=com"
ldap = Net::LDAP.new
ldap.host = "myldapserver"
ldap.port = 389
ldap.auth usr, pss
was_authd = true if ldap.bind

return was_authd
end
...

Thanks,

Jeff

1 Answer

Jeff - Burly Systems

8/24/2007 3:07:00 PM

By ldap injection (
http://www.webappsec.org/projects/threat/classes/ldap_injec...
), I was talking about potential security vulnerabilities, similar to
sql injection ( http://manuals.rubyonrails.com/read/... )
attacks, and was wondering if Net::LDAP implemented anything internal
(similar to the use of ? in sql query strings in ruby-dbi or
ActiveRecord ) to help prevent such., or if I needed to test for and
attempt to cleanse any such potentially malicious user input
(especailly in regards to uid) before using Net::LDAP.

I'll check out bind_as tho. Thanks,

Jeff

On 8/24/07, Francis Cianfrocca <garbagecat10@gmail.com> wrote:
> On 8/23/07, Jeff - Burly Systems <jeff.burly@gmail.com> wrote:
> >
> > Any issues / advice guarding against ldap injection when doing a
> > simple pass/fail ldap auth using Net::LDAP#auth and #bind for
> > client-supplied uid and pss?
>
>
>
> I'm not clear on what you mean by "ldap injection." Are you having concerns
> relating to security?
>
> Look at the Net::LDAP#bind_as function. You can do some of this (not the uid
> scrub) in fewer steps.
>

comp.lang.ruby

ldap injection

Jeff - Burly Systems

Jeff - Burly Systems

x Login to ForumsZone