Anonymous Bind while using ldap3 Module

PY527

missing_authentication

CWE-306

⛔️ Error

🔒 Professional Plan

---

This rule detects instances where the ldap3 module in Python is used to establish an LDAP connection with an anonymous bind. Anonymous binds can lead to security vulnerabilities as they allow access to the LDAP server without authentication, potentially exposing sensitive data and functionalities.

Example

---

Error

import ldap3


server = ldap3.Server("ldaps://ldap.example.com")
ldap = ldap3.Connection(server)

Remediation

---

fix

Only make connections to LDAP servers that require an authentication mechanism such as a user/password.

import ldap3


ldap_user = input('Email: ')
ldap_pass = getpass.getpass()
server = ldap3.Server("ldaps://ldap.example.com")
ldap = ldap3.Connection(server, ldap_user, ldap_pass, auto_bind=True)

False Positives

---

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY527) or rule category name (missing_authentication).

Using rule ID

fix

import ldap3


server = ldap3.Server("ldaps://ldap.example.com")
# suppress: PY527
ldap = ldap3.Connection(server)

Using category name

fix

import ldap3


server = ldap3.Server("ldaps://ldap.example.com")
# suppress: missing_authentication
ldap = ldap3.Connection(server)

See also

---

info

• ldap3 documentation
• CWE-306: Missing Authentication for Critical Function