GitLab LDAP integration vulnerable to MITM attack
Overview
By default the ruby-net-ldap
gem does not enabled SSL verification unless configured via tls_options.
GitLab uses the omniauth-ldap library for LDAP auth. There is currently an open issue LDAP Server certificate not validated which describes the SSL verification problem.
I've lodged this issue here for posterity. We should either address it upstream or in our fork.
Problem
As no verification is performed on the SSL certificate an attacker could easily impersonate an LDAP server.
Solution
We should patch our fork of the omniauth-ldap library to pass and verify SSL certificates by default.