Anonymous Bind while using ldap3
Moduleâ
đ PY527
đˇī¸ missing_authentication
âšī¸ CWE-306
âī¸ Error
đ Professional Plan
This rule detects instances where the ldap3 module in Python is used to establish an LDAP connection with an anonymous bind. Anonymous binds can lead to security vulnerabilities as they allow access to the LDAP server without authentication, potentially exposing sensitive data and functionalities.
Exampleâ
import ldap3
server = ldap3.Server("ldaps://ldap.example.com")
ldap = ldap3.Connection(server)
Remediationâ
Only make connections to LDAP servers that require an authentication mechanism such as a user/password.
import ldap3
ldap_user = input('Email: ')
ldap_pass = getpass.getpass()
server = ldap3.Server("ldaps://ldap.example.com")
ldap = ldap3.Connection(server, ldap_user, ldap_pass, auto_bind=True)
False Positivesâ
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY527
) or
rule category name (missing_authentication
).
- Using rule ID
- Using category name
fix
import ldap3
server = ldap3.Server("ldaps://ldap.example.com")
# suppress: PY527
ldap = ldap3.Connection(server)
fix
import ldap3
server = ldap3.Server("ldaps://ldap.example.com")
# suppress: missing_authentication
ldap = ldap3.Connection(server)