Should LDAP authentication continue if TLS negotiation fails?
EmmetRMS opened this issue · 4 comments
With LDAPS being deprecated [1] in favour of negotiating TLS over port 386 * I'm assuming * that if the TLS negotiation fails then the attempt to authenticate against the LDAP server on port 386 should also fail.
What I'm experiencing with the dropwizard-auth-ldap module (v1.0.3) is that if the client is returned a LDAP server security certificate which is not found in the client trust store (that is, the TLS negotiate fails) the DW LdapAuthenticator method authenticate() logs the error as LOGGER.info("Could not negotiate TLS", err); and then continues to pass the user credentials as plain text to the LDAP server. I would have thought the AutoclosingLdapContext constructor should log the error [2] and also throw an exception.
What are your thoughts?
Thanks.
[1]
[2]
` public class AutoclosingLdapContext extends InitialLdapContext implements AutoCloseable {
private static final Logger LOGGER = LoggerFactory.getLogger(AutoclosingLdapContext.class);
private StartTlsResponse tls = null;
protected AutoclosingLdapContext() throws NamingException {
this(new Hashtable<>(), true);
}
public AutoclosingLdapContext(Hashtable<?, ?> environment, boolean negotiateTls) throws NamingException {
super(environment, null);
if (negotiateTls) {
try {
tls = (StartTlsResponse) this.extendedOperation(new StartTlsRequest());
tls.negotiate();
} catch (Exception err) {
LOGGER.info("Could not negotiate TLS", err);
}
}
}`
Sorry this is a confusion on my part. What I'm actually seeing is:
- The connection is first made to the LDAP server without TLS
- Then an attempt is made to promote the connection to TLS which then fails (due to the certificate issue) 3. The LdapAuthenticator method: public boolean authenticate(BasicCredentials credentials) throws io.dropwizard.auth.AuthenticationException returns true.
So I think I need to use the deprecated LDAPS protocol so that user credentials in step 1 aren't sent as plain text. Is that right?
Sorry I didn't mean to close the issue.
If I'm understanding your issue is it that you want it to connect to LDAP then when attempting to promote to TLS and that fails you want it to fail the entire attempt? If so, then I would agree that the code doesn't currently support that flow. It instead tries best effort to negotiate TLS and if it works great, otherwise at least still try to do plain-text which is what you're seeing at the moment.
You're correct to assume that if you use LDAPS then it will either work or not work but at least your credentials aren't sent over plain-text.
This was originally added to help support some users that wanted the ability to negotiate TLS if it was available. However, it sounds like perhaps we need to add the ability to have strict negotiation TLS in your case and fail the entire attempt if TLS is unavailable.
I can create a PR for this.