An LDAP client authenticates to an LDAP server with a "bind request" which provides, among other, a simple authentication method.

Simple authentication in LDAP can be used with three different mechanisms:

Anonymous binds and unauthenticated binds allow access to information in the LDAP directory without providing a password, their use is therefore strongly discouraged.

Noncompliant Code Example

import ldap

def init_ldap():
   connect = ldap.initialize('ldap://example:1389')

   connect.simple_bind('cn=root') # Noncompliant
   connect.simple_bind_s('cn=root') # Noncompliant
   connect.bind_s('cn=root', None) # Noncompliant
   connect.bind('cn=root', None) # Noncompliant

Compliant Solution

import ldap
import os

def init_ldap():
   connect = ldap.initialize('ldap://example:1389')

   connect.simple_bind('cn=root', os.environ.get('LDAP_PASSWORD')) # Compliant
   connect.simple_bind_s('cn=root', os.environ.get('LDAP_PASSWORD')) # Compliant
   connect.bind_s('cn=root', os.environ.get('LDAP_PASSWORD')) # Compliant
   connect.bind('cn=root', os.environ.get('LDAP_PASSWORD')) # Compliant

See