You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just stumbled on this when setting up a TLS secured LDAP connection in GitLab.
The LDAP connection does work without ever installing our self-signed CA on the GitLab server.
I think this is a big security issue, since centrally managed credentials are a potential target for MITM attacks.
The problem is Net::LDAP which does not activate certificate validation by default:
It's intended for cases where you have an implicit level of trust in the authenticity of the LDAP server. No validation of the LDAP server's SSL certificate is performed. This means that :simple_tls will not produce errors if the LDAP server's encryption certificate is not signed by a well-known Certification Authority. [...] In order to verify certificates and enable other TLS options, the :tls_options hash can be passed alongside :simple_tls or :start_tls.
I just stumbled on this when setting up a TLS secured LDAP connection in GitLab.
The LDAP connection does work without ever installing our self-signed CA on the GitLab server.
I think this is a big security issue, since centrally managed credentials are a potential target for MITM attacks.
The problem is Net::LDAP which does not activate certificate validation by default:
(See http://www.rubydoc.info/github/ruby-ldap/ruby-net-ldap/Net/LDAP#encryption-instance_method)
The problem with omniauth-ldap is that
ensure_method(adaptor.rb line 90) does not allow to pass the:tls_optionshash.Also I think it would be much safer to validate by default and allow an extra parameter for ignoring validation.
The text was updated successfully, but these errors were encountered: