Simple Bind
To authenticate using Simple Bind, the LDAP client supplies a DN and a clear-text password.
Threats
- The DN and password can be copied by an attacker watching network traffic.
- The DN and password can be copied by an attacker who can impersonate the LDAP server.
- The DN and password can be copied by an attacker who can subvert the server.
In each case, the attacker gains the ability to impersonate the user - possibly on multiple services.
Controls
- Avoid using Simple Bind if possible. There are stronger methods available.
- If using Simple Bind is essential, the session must be protected using TLS encryption. This protects against threats 1 and 2 above, but not against threat 3.
- Configure LDAP servers to refuse simple bind requests unless an adequate TLS encryption layer is in place.
Application
Apply this control in all cases where clients authenticate to servers.
--
AndrewFindlay - 07 Oct 2011