LDAP Server certificate not validated

[hstock]

I just stumbled on this when setting up a TLS secured LDAP connection in GitLab.

The LDAP connection does work without ever installing our self-signed CA on the GitLab server.

I think this is a big security issue, since centrally managed credentials are a potential target for MITM attacks.

The problem is Net::LDAP which does not activate certificate validation by default:

It's intended for cases where you have an implicit level of trust in the authenticity of the LDAP server. No validation of the LDAP server's SSL certificate is performed. This means that :simple_tls will not produce errors if the LDAP server's encryption certificate is not signed by a well-known Certification Authority. [...] In order to verify certificates and enable other TLS options, the :tls_options hash can be passed alongside :simple_tls or :start_tls.

(See http://www.rubydoc.info/github/ruby-ldap/ruby-net-ldap/Net/LDAP#encryption-instance_method)

The problem with omniauth-ldap is that ensure_method (adaptor.rb line 90) does not allow to pass the :tls_options hash.

Also I think it would be much safer to validate by default and allow an extra parameter for ignoring validation.

[pboling]

To use TLS with verification (default):

Set encryption: "ssl" (LDAPS port 636) or encryption: "tls" (STARTTLS port 389)

This gem will verify the server’s certificate by default.

If your LDAP server uses a private/self-signed CA:

Either install the CA into the system trust store, or

Provide it explicitly via tls_options: { ca_file: "/path/to/ca.pem" }

Only use disable_verify_certificates: true for local dev/test, not production.

Documentation about how to use TLS certificate verification has been added to the readme:
#110