GitLab LDAP integration vulnerable to MITM attack

Overview

By default the ruby-net-ldap gem does not enabled SSL verification unless configured via tls_options.

GitLab uses the omniauth-ldap library for LDAP auth. There is currently an open issue LDAP Server certificate not validated which describes the SSL verification problem.

I've lodged this issue here for posterity. We should either address it upstream or in our fork.

Problem

As no verification is performed on the SSL certificate an attacker could easily impersonate an LDAP server.

Solution

We should patch our fork of the omniauth-ldap library to pass and verify SSL certificates by default.

cc @briann @dblessing @stanhu

---

• https://gitlab.zendesk.com/agent/tickets/71302