Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@cepharum/ldap-bridge
Advanced tools
remotely backed LDAP authentication
MIT
This package implements an LDAP service suitable for authenticating users. It is translating incoming requests for binding as a user into authentication requests against configurable backend services such as POP3.
Using this service, you can set up an LDAP-aware service such as Jitsi or Mattermost for users authenticating against the POP3 of your local MTA.
In production mode the service requires encrypted connections with its clients as well as with backend services. Due to its nature it is forwarding any password provided by a client to related backend service. It isn't storing passwords. It isn't caching any result either. The service is working stateless.
As a beneficial side effect this results in this service's horizontal scalability.
To conclude, from a user's point of view this tool relies on a security issue as soon as you authenticate against backends you don't manage. This is due to the possibility of reading/tracking sensitive information meant to be shared by your user and the remote backend, only.
In a locally created folder run:
npm install @cepharum/ldap-bridge
Create local copy of distributed configuration file:
cp node_modules/@cepharum/ldap-bridge/config.dist.js config.js
Open file config.js in your favourite text editor and adjust it according to your needs.
Eventually start the service with:
npx ldap-bridge
The latest version is available as a docker image named registry.gitlab.com/cepharum-foss/ldap-bridge, too.
On first run this image is writing configuration template into mounted volume for review.
mkdir -p data
docker run -it --rm -v $(pwd)/data:/config registry.gitlab.com/cepharum-foss/ldap-bridge
After adjusting the configuration in data/config.js you can start the container with:
docker run -d --rm -p 636:636 -v $(pwd)/data:/config registry.gitlab.com/cepharum-foss/ldap-bridge
The service is logging to the console using debug. Thus, you can use DEBUG environment variable to adjust log levels. In docker image this defaults to *:alter,*:error,*:warn,*:info
.
In a production setup the service requires LDAP-side and backends to communicate over encrypted connections, only. You need to set NODE_ENV environment variable to development
to work with non-encrypted LDAP server locally.
FAQs
remotely backed LDAP authentication
The npm package @cepharum/ldap-bridge receives a total of 1 weekly downloads. As such, @cepharum/ldap-bridge popularity was classified as not popular.
We found that @cepharum/ldap-bridge demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.