You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Initialize a new adaptor with method = 'plain', try_sasl = true, and sasl_mechanisms = ['DIGEST-MD5']
Start wireshark tshark -i any -f "tcp port 389" -Y "ldap" -T text
Call bind_as with filter = '...', size = 1, and password = '...'
Expected
Wireshark shows SASL bind in progress, followed by success. Digest sent over network instead of clear text password.
Actual
Wireshark shows a simple bind being performed. Password sent in clear text.
More details
I describe my workaround for this issue here. Note that this is slightly more involved because I am patching the forked version used by GitLab.
I'm not familiar with Ruby, and I'm having trouble reading through the net/ldap documentation. But I think the issue is that net/ldap seems to use 'method' for two different things: simple/anonymous when part of the auth parameter, or simple_tls/start_tls when part of the encryption parameter.
In initialize, it looks like :method is mapped to encryption[:method] and stored under @method. For validation, ensure_method restricts :method to 'ssl', 'tls', or 'plain'.
Whereas :try_sasl is mapped to auth[:method] and stored under @bind_method.
However, in bind_as, @method is used instead of @bind_method. So net/ldap sees auth[:method] = nil instead of auth[:method] = :sasl.
The text was updated successfully, but these errors were encountered:
Issue
Setup
tshark -i any -f "tcp port 389" -Y "ldap" -T text
Expected
Wireshark shows SASL bind in progress, followed by success. Digest sent over network instead of clear text password.
Actual
Wireshark shows a simple bind being performed. Password sent in clear text.
More details
I describe my workaround for this issue here. Note that this is slightly more involved because I am patching the forked version used by GitLab.
I'm not familiar with Ruby, and I'm having trouble reading through the net/ldap documentation. But I think the issue is that net/ldap seems to use 'method' for two different things: simple/anonymous when part of the auth parameter, or simple_tls/start_tls when part of the encryption parameter.
In
initialize
, it looks like:method
is mapped toencryption[:method]
and stored under@method
. For validation,ensure_method
restricts:method
to 'ssl', 'tls', or 'plain'.Whereas
:try_sasl
is mapped toauth[:method]
and stored under@bind_method
.However, in
bind_as
,@method
is used instead of@bind_method
. So net/ldap seesauth[:method] = nil
instead ofauth[:method] = :sasl
.The text was updated successfully, but these errors were encountered: