LDAP connections must use explicit user credentials

Docs > Plateforme de sécurité Datadog > Code Security > Static Code Analysis (SAST) > SAST Rules > LDAP connections must use explicit user credentials

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: kotlin-security/avoid-anonymous-ldap

Language: Kotlin

Severity: Error

Category: Security

CWE: 287

Description

This rule enforces that LDAP connections in Kotlin applications must utilize explicit user credentials for authentication. LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

This rule is significant as it helps prevent unauthorized access to sensitive data. If LDAP connections are allowed to proceed without explicit user credentials, it might facilitate anonymous access, which can lead to data breaches or unauthorized modifications.

To comply with this rule, ensure that you are not enabling anonymous access when setting up LDAP connections. Instead, use methods like setUserDn(username) and setPassword(password) for Spring LDAP or put(Context.SECURITY_PRINCIPAL, username) and put(Context.SECURITY_CREDENTIALS, password) for Java’s JNDI to set explicit user credentials. This authentication process ensures that only authorized users can access the LDAP resources, thereby maintaining the security and integrity of the data.

Non-Compliant Code Examples

import org.springframework.ldap.core.support.LdapContextSource

fun configureLDAP(): LdapContextSource {
    return LdapContextSource().apply {
        setUrl("ldap://localhost:389")
        // Dangerous: Enables anonymous access
        setAnonymousReadOnly(true)
        afterPropertiesSet()
    }
}

import javax.naming.Context
import javax.naming.directory.InitialDirContext

fun connectLDAP() {
    val env = Hashtable<String, Any>()
    env.apply {
        put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")
        put(Context.PROVIDER_URL, "ldap://localhost:389")
        // Dangerous: Anonymous bind
        put(Context.SECURITY_AUTHENTICATION, "none")
    }
    env.put(Context.SECURITY_AUTHENTICATION, "none")
    val context = InitialDirContext(env)
}

Compliant Code Examples

import org.springframework.ldap.core.support.LdapContextSource

fun configureLDAPSecurely(
    username: String,
    password: String
): LdapContextSource {
    return LdapContextSource().apply {
        setUrl("ldap://localhost:389")
        setUserDn(username)
        setPassword(password)
        // Optional: Enable connection pooling for better performance
        setPooled(true)
        afterPropertiesSet()
    }
}

import javax.naming.Context
import javax.naming.directory.InitialDirContext

fun connectLDAPSecurely(username: String, password: String) {
    val env = Hashtable<String, Any>()
    env.apply {
        put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")
        put(Context.PROVIDER_URL, "ldap://localhost:389")
        // Secure: Using explicit authentication
        put(Context.SECURITY_AUTHENTICATION, "simple")
        put(Context.SECURITY_PRINCIPAL, username)
        put(Context.SECURITY_CREDENTIALS, password)
    }
    val context = InitialDirContext(env)
}