You are here: Foswiki>LDAP Web>LdapSecurity>Authentication>SimpleBind (07 Oct 2011, AndrewFindlay)Edit Attach

Simple Bind

To authenticate using Simple Bind, the LDAP client supplies a DN and a clear-text password.

Threats

  1. The DN and password can be copied by an attacker watching network traffic.
  2. The DN and password can be copied by an attacker who can impersonate the LDAP server.
  3. The DN and password can be copied by an attacker who can subvert the server.

In each case, the attacker gains the ability to impersonate the user - possibly on multiple services.

Controls

  1. Avoid using Simple Bind if possible. There are stronger methods available.
  2. If using Simple Bind is essential, the session must be protected using TLS encryption. This protects against threats 1 and 2 above, but not against threat 3.
  3. Configure LDAP servers to refuse simple bind requests unless an adequate TLS encryption layer is in place.

Application

Apply this control in all cases where clients authenticate to servers.

-- AndrewFindlay - 07 Oct 2011
Edit  | Attach | Print version | History: r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r1 - 07 Oct 2011, AndrewFindlay - This page was cached on 05 Aug 2023 - 18:43.

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback