Unauthenticated LDAP requests High

Do not use anonymous or unauthenticated authentication mechanisms with a blind LDAP client request because they allow unauthorized access without passwords.

Detector ID
python/ldap-authentication@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1def authenticate_connection_noncompliant():
2    import ldap
3    import os
4    connect = ldap.initialize('ldap://127.0.0.1:1389')
5    connect.set_option(ldap.OPT_REFERRALS, 0)
6    # Noncompliant: authentication disabled.
7    connect.simple_bind('cn=root')

Compliant example

1def authenticate_connection_compliant():
2    import ldap
3    import os
4    connect = ldap.initialize('ldap://127.0.0.1:1389')
5    connect.set_option(ldap.OPT_REFERRALS, 0)
6    # Compliant: simple security authentication used.
7    connect.simple_bind('cn=root', os.environ.get('LDAP_PASSWORD'))