LDAP connections must use explicit user credentials

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST Rules > LDAP connections must use explicit user credentials

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: kotlin-security/avoid-anonymous-ldap

Language: Kotlin

Severity: Error

Category: Security

CWE: 287

Description

This rule enforces that LDAP connections in Kotlin applications must utilize explicit user credentials for authentication. LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

This rule is significant as it helps prevent unauthorized access to sensitive data. If LDAP connections are allowed to proceed without explicit user credentials, it might facilitate anonymous access, which can lead to data breaches or unauthorized modifications.

To comply with this rule, ensure that you are not enabling anonymous access when setting up LDAP connections. Instead, use methods like setUserDn(username) and setPassword(password) for Spring LDAP or put(Context.SECURITY_PRINCIPAL, username) and put(Context.SECURITY_CREDENTIALS, password) for Java’s JNDI to set explicit user credentials. This authentication process ensures that only authorized users can access the LDAP resources, thereby maintaining the security and integrity of the data.

Non-Compliant Code Examples

import org.springframework.ldap.core.support.LdapContextSource

fun configureLDAP(): LdapContextSource {
    return LdapContextSource().apply {
        setUrl("ldap://localhost:389")
        // Dangerous: Enables anonymous access
        setAnonymousReadOnly(true)
        afterPropertiesSet()
    }
}

import javax.naming.Context
import javax.naming.directory.InitialDirContext

fun connectLDAP() {
    val env = Hashtable<String, Any>()
    env.apply {
        put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")
        put(Context.PROVIDER_URL, "ldap://localhost:389")
        // Dangerous: Anonymous bind
        put(Context.SECURITY_AUTHENTICATION, "none")
    }
    env.put(Context.SECURITY_AUTHENTICATION, "none")
    val context = InitialDirContext(env)
}

Compliant Code Examples

import org.springframework.ldap.core.support.LdapContextSource

fun configureLDAPSecurely(
    username: String,
    password: String
): LdapContextSource {
    return LdapContextSource().apply {
        setUrl("ldap://localhost:389")
        setUserDn(username)
        setPassword(password)
        // Optional: Enable connection pooling for better performance
        setPooled(true)
        afterPropertiesSet()
    }
}

import javax.naming.Context
import javax.naming.directory.InitialDirContext

fun connectLDAPSecurely(username: String, password: String) {
    val env = Hashtable<String, Any>()
    env.apply {
        put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")
        put(Context.PROVIDER_URL, "ldap://localhost:389")
        // Secure: Using explicit authentication
        put(Context.SECURITY_AUTHENTICATION, "simple")
        put(Context.SECURITY_PRINCIPAL, username)
        put(Context.SECURITY_CREDENTIALS, password)
    }
    val context = InitialDirContext(env)
}