Skip to main content

Anonymous Bind while using python-ldap Module​

📐 PY528
đŸˇī¸ missing_authentication
â„šī¸ CWE-306
â›”ī¸ Error
🔒 Professional Plan

This rule detects instances where the python-ldap module in Python is used to establish an LDAP connection with an anonymous bind. Anonymous binds can lead to security vulnerabilities as they allow access to the LDAP server without authentication, potentially exposing sensitive data and functionalities.

Example​

import ldap


l = ldap.initialize("ldaps://ldap.example.com")
l.simple_bind_s("cn=root")
l.search_s("o=My Organization, c=US", ldap.SCOPE_SUBTREE, "objectclass=*")

Remediation​

Only make connections to LDAP servers that require an authentication mechanism such as a user/password.

import ldap


ldap_user = input("LDAP user: ")
ldap_pass = getpass.getpass()
l = ldap.initialize("ldaps://ldap.example.com")
l.simple_bind_s(ldap_user, ldap_pass)
l.search_s("o=My Organization, c=US", ldap.SCOPE_SUBTREE, "objectclass=*")

False Positives​

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY528) or rule category name (missing_authentication).

Fix Iconfix
import ldap


l = ldap.initialize("ldaps://ldap.example.com")
# suppress: PY527
l.simple_bind_s("cn=root")
l.search_s("o=My Organization, c=US", ldap.SCOPE_SUBTREE, "objectclass=*")

See also​