Menu
I'm building a Haskell web application for which I need authentication. My organization runs an LDAP server, and I would prefer not to reinvent the wheel. However, when I inspect the source code for LDAP.Init.ldapSimpleBind from the ldap-haskell package, I discover that it calls the C routine ldap_simple_bind_s. As far as I can tell, this API call is going to send my users' passwords in the clear to an LDAP server. Not acceptable.
Have I understood correctly what ldap-haskell is doing?
If so, is there a secure way for me to authenticate my users to an LDAP server from an application written in Haskell?
213
Alternately, some authentication mechanisms (through SASL) allow establishing signing and encryption. Most of the recent LDAP based directory servers support these modes, and often have configuration parameters to prevent unsecure communications. LDAPS on the other hand is secure by default as long as proper ciphers are negotiated.
Essentially, you need to set up LDAP to authenticate credentials against Active Directory. The “BIND” operation is used to set the authentication state for an LDAP session in which the LDAP client connects to the server. You have two options when it comes to performing LDAP authentication: simple and SASL.
What Is LDAP? The Lightweight Directory Access Protocol (LDAP) is an open, cross-platform software protocol used for authentication and communication in directory services.
Further, as LDAP is often used as a common authentication service behind several userfacing services, there is a serious risk of unintentional denial of service. An example of this is where a user changes their password in LDAP but forgets to (or is unable to) change the stored password in their email client.
Passwords must be sent in the clear over a secure connection to an LDAP server that supports password policy checks. Failure to do so will result in the server being unable to manage password history and password quality checks. If the server does not support password policy and history checks, then that server should not be used for non-trivial, mission critical applications. Use either SSL, or failing that, an unsecure connection promoted to TLS using the StartTLS extended operation.
186
Can you use port 636 (secure LDAP) instead of port 389 to connect to your LDAP server? In this case you would at least have SSL protection.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
