Missing Authentication for LDAP Connection
Description
The application does not provide authentication when communicating with an LDAP server. It is strongly recommended that the LDAP server be configured with authentication and restrict what queries users can execute.
Examples
Insecure Code
java
$ENV.put(Context.SECURITY_AUTHENTICATION, "none");Secure Code
java
props.put(Context.SECURITY_PRINCIPAL, "cn=admin,dc=example,dc=org");
String ldapAccountPassword = getAccountPasswordFromSecureStoreOrKMS();
props.put(Context.SECURITY_CREDENTIALS, ldapAccountPassword);Remediation
Configure the LDAP server with authentication and restrict user queries. Use a secure method to store and retrieve the LDAP account password.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0713 |
| Category | Auth |
| Severity | HIGH |
| CWE | CWE-306 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | authentication, ldap |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |