Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

LDAP authentication with `ldap-haskell`: can it be made secure?

Tags:

haskell

ldap

I'm building a Haskell web application for which I need authentication. My organization runs an LDAP server, and I would prefer not to reinvent the wheel. However, when I inspect the source code for LDAP.Init.ldapSimpleBind from the ldap-haskell package, I discover that it calls the C routine ldap_simple_bind_s. As far as I can tell, this API call is going to send my users' passwords in the clear to an LDAP server. Not acceptable.

  • Have I understood correctly what ldap-haskell is doing?

  • If so, is there a secure way for me to authenticate my users to an LDAP server from an application written in Haskell?

like image 213
Norman Ramsey Avatar asked May 14 '12 03:05

Norman Ramsey

People also ask

How secure are LDAP and LDAPS?

Alternately, some authentication mechanisms (through SASL) allow establishing signing and encryption. Most of the recent LDAP based directory servers support these modes, and often have configuration parameters to prevent unsecure communications. LDAPS on the other hand is secure by default as long as proper ciphers are negotiated.

How to set up LDAP authentication for Active Directory?

Essentially, you need to set up LDAP to authenticate credentials against Active Directory. The “BIND” operation is used to set the authentication state for an LDAP session in which the LDAP client connects to the server. You have two options when it comes to performing LDAP authentication: simple and SASL.

What is LDAP (lightweight Directory Access Protocol)?

What Is LDAP? The Lightweight Directory Access Protocol (LDAP) is an open, cross-platform software protocol used for authentication and communication in directory services.

What are the risks of LDAP authentication?

Further, as LDAP is often used as a common authentication service behind several user­facing services, there is a serious risk of unintentional denial of service. An example of this is where a user changes their password in LDAP but forgets to (or is unable to) change the stored password in their e­mail client.

2 Answers

Passwords must be sent in the clear over a secure connection to an LDAP server that supports password policy checks. Failure to do so will result in the server being unable to manage password history and password quality checks. If the server does not support password policy and history checks, then that server should not be used for non-trivial, mission critical applications. Use either SSL, or failing that, an unsecure connection promoted to TLS using the StartTLS extended operation.

like image 186
Terry Gardner Avatar answered Nov 15 '22 11:11

Terry Gardner

Can you use port 636 (secure LDAP) instead of port 389 to connect to your LDAP server? In this case you would at least have SSL protection.

like image 38
CognitiveCarbon Avatar answered Nov 15 '22 09:11

CognitiveCarbon
Sign in to Comment

Related questions

Is it possible to write an Alternative instance for Identity a if there's a Monoid for a?
Why this Either-monad code does not type check?
Why isn't (->) implemented with Control.Monad.Instances by default
Regex & String Libraries in Haskell
Common Lisp equivalent of Haskell's replicate?
Creating instances of Abstract Data Types that recursively contain each other
How to map over Applicative form?
type vs data performance in haskell
*O(n)* "forward" Data.Vector `permute` function
Haskell or Erlang for a constraint solving course scheduler
Abstracting monad composition as a transformer
Haskell "pseudo-functor"
Undefined Variable, Haskell
Making Vector.Generic an instance of Functor (and other type-classes
Merge two sorted lists in Haskell
How do I convert a -> Float?
Haskell Newbie: No instance for Show in map function
Group sublist values based to equivalent sums with Haskell
`seq` on partially applied functions
Confusion with Haskell type inference

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!