GitLab LDAP integration vulnerable to MITM attack
By default the
ruby-net-ldap gem does not enabled SSL verification unless configured via tls_options.
I've lodged this issue here for posterity. We should either address it upstream or in our fork.
As no verification is performed on the SSL certificate an attacker could easily impersonate an LDAP server.
We should patch our fork of the omniauth-ldap library to pass and verify SSL certificates by default.