Erroneous successful webGUI authentication with blank password and AD authentication backend
Erroneous successful authentication to the webGUI when using Active Directory authentication and no password is specified.
Possible fix by adding blank password check to ldap_backed function:
log_error("ERROR! No password entered.");
Updated by Kane Rason over 10 years ago
This behaviour is detailed in section 5.1 of rfc 2829 - http://www.ietf.org/rfc/rfc2829.txt
5.1. Anonymous authentication procedure
An LDAP client which has not successfully completed a bind operation
on a connection is anonymously authenticated.
An LDAP client MAY also specify anonymous authentication in a bind
request by using a zero-length OCTET STRING with the simple
A blank password equates to an anonymous authentication bind request.