1Net::LDAP::Security(3)User Contributed Perl DocumentationNet::LDAP::Security(3)
2
3
4
6 Net::LDAP::Security - Security issues with LDAP connections
7
9 none
10
12 This document discusses various security issues relating to using LDAP
13 and connecting to LDAP servers, notably how to manage these potential
14 vulnerabilities:
15
16 • do you know that you are connected to the right server
17
18 • can someone sniff your passwords/userids from the directory
19 connection
20
21 • can someone sniff other confidential information from the directory
22 connection
23
24 Net::LDAP provides ways to address these vulnerabilities: through the
25 use of LDAPS, or LDAPv3 and TLS, and/or the use of SASL. Each of these
26 will be explained below.
27
28 How does an LDAP connection work
29 A normal LDAPv2 or LDAPv3 connection works by the client connecting
30 directly to port 389 (by default), and then issuing various LDAP
31 requests like search, add, etc.
32
33 There is no way to guarantee that an LDAP client is connected to the
34 right LDAP server. Hackers could have poisoned your DNS, so
35 'ldap.example.com' could be made to point to 'ldap.hacker.com'. Or they
36 could have installed their own server on the correct machine.
37
38 It is in the nature of the LDAP protocol that all information goes
39 between the client and the server in 'plain text'. This is a term used
40 by cryptographers to describe unencrypted and recoverable data, so even
41 though LDAP can transfer binary values like JPEG photographs, audio
42 clips and X.509 certificates, everything is still considered 'plain
43 text'.
44
45 If these vulnerabilities are an issue to, then you should consider the
46 other possibilities described below, namely LDAPS, LDAPv3 and TLS, and
47 SASL.
48
49 How does an LDAPS connection work
50 LDAPS is an unofficial protocol. It is to LDAP what HTTPS is to HTTP,
51 namely the exact same protocol (but in this case LDAPv2 or LDAPv3)
52 running over a secured SSL ("Secure Socket Layer") connection to port
53 636 (by default).
54
55 Not all servers will be configured to listen for LDAPS connections, but
56 if they do, it will commonly be on a different port from the normal
57 plain text LDAP port.
58
59 Using LDAPS can potentially solve the vulnerabilities described above,
60 but you should be aware that simply "using" SSL is not a magic bullet
61 that automatically makes your system "secure".
62
63 First of all, LDAPS can solve the problem of verifying that you are
64 connected to the correct server. When the client and server connect,
65 they perform a special SSL 'handshake', part of which involves the
66 server and client exchanging cryptographic keys, which are described
67 using X.509 certificates. If the client wishes to confirm that it is
68 connected to the correct server, all it needs to do is verify the
69 server's certificate which is sent in the handshake. This is done in
70 two ways:
71
72 1. check that the certificate is signed (trusted) by someone that you
73 trust, and that the certificate hasn't been revoked. For instance,
74 the server's certificate may have been signed by Verisign
75 (www.verisign.com), and you decide that you want to trust Verisign
76 to sign legitimate certificates.
77
78 2. check that the least-significant cn RDN in the server's
79 certificate's DN is the fully-qualified hostname of the hostname
80 that you connected to when creating the LDAPS object. For example
81 if the server is <cn=ldap.example.com,ou=My department,o=My
82 company>, then the RDN to check is cn=ldap.example.com.
83
84 You can do this by using the cafile and capath options when creating a
85 Net::LDAPS object, and by setting the verify option to 'require'.
86
87 To prevent hackers 'sniffing' passwords and other information on your
88 connection, you also have to make sure the encryption algorithm used by
89 the SSL connection is good enough. This is also something that gets
90 decided by the SSL handshake - if the client and server cannot agree on
91 an acceptable algorithm the connection is not made.
92
93 Net::LDAPS will by default use all the algorithms built into your copy
94 of OpenSSL, except for ones considered to use "low" strength
95 encryption, and those using export strength encryption. You can
96 override this when you create the Net::LDAPS object using the 'ciphers'
97 option.
98
99 Once you've made the secure connection, you should also check that the
100 encryption algorithm that is actually being used is one that you find
101 acceptable. Broken servers have been observed in the field which 'fail
102 over' and give you an unencrypted connection, so you ought to check for
103 that.
104
105 How does LDAP and TLS work
106 SSL is a good solution to many network security problems, but it is not
107 a standard. The IETF corrected some defects in the SSL mechanism and
108 published a standard called RFC 2246 which describes TLS ("Transport
109 Layer Security"), which is simply a cleaned up and standardized version
110 of SSL.
111
112 You can only use TLS with an LDAPv3 server. That is because the
113 standard (RFC 4511) for LDAP and TLS requires that the normal LDAP
114 connection (i.e., on port 389) can be switched on demand from plain
115 text into a TLS connection. The switching mechanism uses a special
116 extended LDAP operation, and since these are not legal in LDAPv2, you
117 can only switch to TLS on an LDAPv3 connection.
118
119 So the way you use TLS with LDAPv3 is that you create your normal
120 LDAPv3 connection using "Net::LDAP::new()", and then you perform the
121 switch using "Net::LDAP::start_tls()". The "start_tls()" method takes
122 pretty much the same arguments as "Net::LDAPS::new()", so check above
123 for details.
124
125 How does SASL work
126 SASL is an authentication framework that can be used by a number of
127 different Internet services, including LDAPv3. Because it is only a
128 framework, it doesn't provide any way to authenticate by itself; to
129 actually authenticate to a service you need to use a specific SASL
130 mechanism. A number of mechanisms are defined, such as CRAM-MD5.
131
132 The use of a mechanism like CRAM-MD5 provides a solution to the
133 password sniffing vulnerability, because these mechanisms typically do
134 not require the user to send across a secret (e.g., a password) in the
135 clear across the network. Instead, authentication is carried out in a
136 clever way which avoids this, and so prevents passwords from being
137 sniffed.
138
139 Net::LDAP supports SASL using the Authen::SASL class. Currently the
140 only Authen::SASL subclasses (i.e., SASL mechanism) available are
141 CRAM-MD5 and EXTERNAL.
142
143 Some SASL mechanisms provide a general solution to the sniffing of all
144 data on the network vulnerability, as they can negotiate confidential
145 (i.e., encrypted) network connections. Note that this is over and above
146 any SSL or TLS encryption! Unfortunately, perl's Authen::SASL code
147 cannot negotiate this.
148
150 Net::LDAP, Net::LDAPS, Authen::SASL
151
153 Jim Dutton <jimd@dutton3.it.siu.edu> provided lots of useful feedback
154 on the early drafts.
155
157 Chris Ridd <chris.ridd@isode.com>
158
159 Please report any bugs, or post any suggestions, to the perl-ldap
160 mailing list <perl-ldap@perl.org>.
161
163 Copyright (c) 2001-2004 Chris Ridd. All rights reserved. This program
164 is free software; you can redistribute it and/or modify it under the
165 same terms as Perl itself.
166
167
168
169perl v5.32.1 2021-02-16 Net::LDAP::Security(3)