Erroneous successful webGUI authentication with blank password and AD authentication backend
Erroneous successful authentication to the webGUI when using Active Directory authentication and no password is specified.
Possible fix by adding blank password check to ldap_backed function:
log_error("ERROR! No password entered.");
Do not allow empty passwords since this might cause problems for some authentication servers like ldap. Fixes #2326
#1 Updated by Kane Rason almost 5 years ago
This behaviour is detailed in section 5.1 of rfc 2829 - http://www.ietf.org/rfc/rfc2829.txt
5.1. Anonymous authentication procedure
An LDAP client which has not successfully completed a bind operation
on a connection is anonymously authenticated.
An LDAP client MAY also specify anonymous authentication in a bind
request by using a zero-length OCTET STRING with the simple
A blank password equates to an anonymous authentication bind request.