Preventing LDAP injection

security ldap sanitization
Matias picture Matias · Jun 12, 2010 · Viewed 14.2k times · Source

I am working on my first desktop app that queries LDAP. I'm working in C under unix and using opends, and I'm new to LDAP. After woking a while on that I noticed that the user could be able to alter the LDAP query by injecting malicious code.
I'd like to know which sanitizing techniques are known, not only for C/unix development but in more general terms, i.e., web development etc.
I thought that escaping equals and semicolons would be enough, but not sure.

Here is a little piece of code so I can make clearer the question:

 String ldapSearchQuery = "(cn=" + $userName + ")";
 System.out.println(ldapSearchQuery);

Obviously I do need to sanitize $userName, as stated in this OWASP ARTICLE

Answer

Trueblood picture Trueblood · Jun 22, 2010

OWASP is a good security guide that I use a lot, and has example code (in Java, but you should be able to translate): http://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java

Also, here's an Active Directory specific reference: http://www.rlmueller.net/CharactersEscaped.htm

Related questions

How to create and add users to a group in Jenkins for authentication?

I choose to use "Jenkins's own user database" security realm for user login as I couldn't use LDAP in my company. And Google's OpenID has issue when you decided to change the hostname or port number to something else. And …

Read More
How secure is your password in LDAP?

Is your password more secure in any way if it is stored on LDAP rather than a database or an encrypted file?

Read More
how to accept self-signed certificates for JNDI/LDAP connections?

I need to connect to an LDAP directory over SSL. In non-production environments, we use self-signed certificates which, of course, fails to validate with: javax.naming.CommunicationException: simple bind failed: ldapserver:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.…

Read More