Project

General

Profile

Bug #2326

Erroneous successful webGUI authentication with blank password and AD authentication backend

Added by Kane Rason over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
User manager
Target version:
Start date:
03/30/2012
Due date:
% Done:

100%

Affected version:
2.0.1
Affected Architecture:

Description

Erroneous successful authentication to the webGUI when using Active Directory authentication and no password is specified.

Possible fix by adding blank password check to ldap_backed function:

if(!$passwd) {
log_error("ERROR! No password entered.");
return false;
}

Associated revisions

Revision d427980c
Added by Ermal Luçi over 4 years ago

Do not allow empty passwords since this might cause problems for some authentication servers like ldap. Fixes #2326

Revision 88165371
Added by Ermal Luçi over 4 years ago

Do not allow empty passwords since this might cause problems for some authentication servers like ldap. Fixes #2326

History

#1 Updated by Kane Rason over 4 years ago

This behaviour is detailed in section 5.1 of rfc 2829 - http://www.ietf.org/rfc/rfc2829.txt

5.1. Anonymous authentication procedure

An LDAP client which has not successfully completed a bind operation
on a connection is anonymously authenticated.
An LDAP client MAY also specify anonymous authentication in a bind
request by using a zero-length OCTET STRING with the simple
authentication choice.

A blank password equates to an anonymous authentication bind request.

#2 Updated by Chris Buechler over 4 years ago

  • Category changed from Web Interface to User manager
  • Target version set to 2.1

#3 Updated by Ermal Luçi over 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#4 Updated by Ermal Luçi over 4 years ago

#5 Updated by Chris Buechler over 3 years ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF