Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SASL digest authentication uses simple bind instead #83

Open
dkleszyk opened this issue Mar 22, 2018 · 0 comments
Open

SASL digest authentication uses simple bind instead #83

dkleszyk opened this issue Mar 22, 2018 · 0 comments

Comments

@dkleszyk
Copy link

Issue

Setup

  1. Initialize a new adaptor with method = 'plain', try_sasl = true, and sasl_mechanisms = ['DIGEST-MD5']
  2. Start wireshark tshark -i any -f "tcp port 389" -Y "ldap" -T text
  3. Call bind_as with filter = '...', size = 1, and password = '...'

Expected

Wireshark shows SASL bind in progress, followed by success. Digest sent over network instead of clear text password.

Actual

Wireshark shows a simple bind being performed. Password sent in clear text.

More details

I describe my workaround for this issue here. Note that this is slightly more involved because I am patching the forked version used by GitLab.

I'm not familiar with Ruby, and I'm having trouble reading through the net/ldap documentation. But I think the issue is that net/ldap seems to use 'method' for two different things: simple/anonymous when part of the auth parameter, or simple_tls/start_tls when part of the encryption parameter.

In initialize, it looks like :method is mapped to encryption[:method] and stored under @method. For validation, ensure_method restricts :method to 'ssl', 'tls', or 'plain'.

Whereas :try_sasl is mapped to auth[:method] and stored under @bind_method.

However, in bind_as, @method is used instead of @bind_method. So net/ldap sees auth[:method] = nil instead of auth[:method] = :sasl.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant