I’m building a Haskell web application for which I need authentication. My organization runs an LDAP server, and I would prefer not to reinvent the wheel. However, when I inspect the source code for LDAP.Init.ldapSimpleBind from the ldap-haskell package, I discover that it calls the C routine ldap_simple_bind_s. As far as I can tell, this API call is going to send my users’ passwords in the clear to an LDAP server. Not acceptable.
-
Have I understood correctly what
ldap-haskellis doing? -
If so, is there a secure way for me to authenticate my users to an LDAP server from an application written in Haskell?
Passwords must be sent in the clear over a secure connection to an LDAP server that supports password policy checks. Failure to do so will result in the server being unable to manage password history and password quality checks. If the server does not support password policy and history checks, then that server should not be used for non-trivial, mission critical applications. Use either SSL, or failing that, an unsecure connection promoted to TLS using the StartTLS extended operation.