binding with empty password is allowed #36

Closed
inty opened this Issue Sep 4, 2012 · 25 comments

Comments

Projects
None yet
7 participants
@inty
Contributor

inty commented Sep 4, 2012

This is a huge issue if your LDAP server allows anonymous binds... this also wasn't the case before, it was changed with a dubious comment in 498d156.

@BorisMorel

This comment has been minimized.

Show comment
Hide comment
@BorisMorel

BorisMorel Sep 16, 2012

Owner

Mmhh Yes it's strange.

I check
Thanks

Owner

BorisMorel commented Sep 16, 2012

Mmhh Yes it's strange.

I check
Thanks

@vittore

This comment has been minimized.

Show comment
Hide comment
@vittore

vittore Sep 21, 2012

This is a critical bug.
In my microsoft windows 2008 R2 infrastructure every user can login using only username and a empty password.
I patch adding these lines to LdapManagerUser.php line 160:

    private function bind()
    {
        if (strlen($this->password)==0) {
            return false;
        }

vittore commented Sep 21, 2012

This is a critical bug.
In my microsoft windows 2008 R2 infrastructure every user can login using only username and a empty password.
I patch adding these lines to LdapManagerUser.php line 160:

    private function bind()
    {
        if (strlen($this->password)==0) {
            return false;
        }
@vittore

This comment has been minimized.

Show comment
Hide comment
@vittore

vittore Sep 21, 2012

Here microsoft article: http://support.microsoft.com/kb/320528

And some tests:

Windows 2008r2 DC in 2008r2 domain level.
Correct username, correct password:
res = ldap_simple_bind_s(ld, 'cn=test3,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Authenticated as: 'Ad\test3'.

Correct username, no password:
res = ldap_simple_bind_s(ld, 'cn=test3,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.

Correct username, wrong password:
res = ldap_simple_bind_s(ld, 'cn=test3,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Error <49>: ldap_simple_bind_s() failed: Invalid Credentials
Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Error 0x80090308 The token supplied to the function is invalid

Incorrect username, random password:
res = ldap_simple_bind_s(ld, 'cn=test5,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Error <49>: ldap_simple_bind_s() failed: Invalid Credentials
Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Error 0x80090308 The token supplied to the function is invalid

Incorrect username, no password:
res = ldap_simple_bind_s(ld, 'cn=test5,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.

So it's clearly a Microsoft problem but, i thinks, we need to patch it. :-)

v.

vittore commented Sep 21, 2012

Here microsoft article: http://support.microsoft.com/kb/320528

And some tests:

Windows 2008r2 DC in 2008r2 domain level.
Correct username, correct password:
res = ldap_simple_bind_s(ld, 'cn=test3,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Authenticated as: 'Ad\test3'.

Correct username, no password:
res = ldap_simple_bind_s(ld, 'cn=test3,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.

Correct username, wrong password:
res = ldap_simple_bind_s(ld, 'cn=test3,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Error <49>: ldap_simple_bind_s() failed: Invalid Credentials
Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Error 0x80090308 The token supplied to the function is invalid

Incorrect username, random password:
res = ldap_simple_bind_s(ld, 'cn=test5,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Error <49>: ldap_simple_bind_s() failed: Invalid Credentials
Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Error 0x80090308 The token supplied to the function is invalid

Incorrect username, no password:
res = ldap_simple_bind_s(ld, 'cn=test5,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.

So it's clearly a Microsoft problem but, i thinks, we need to patch it. :-)

v.

@BorisMorel

This comment has been minimized.

Show comment
Hide comment
@BorisMorel

BorisMorel Sep 21, 2012

Owner

Hi,

I can't patch this because it's allowed to bind with an empty password ...
498d156

But it's very strange that Windows with empty password bind the user
with anonymous role. You can't configure your AD to prevent this fish ?

Regards,
Boris.

On 09/21/2012 07:40 AM, Vittore Zen wrote:

Here microsoft article: http://support.microsoft.com/kb/320528

And some tests:

Windows 2008r2 DC in 2008r2 domain level.
Correct username, correct password:
res = ldap_simple_bind_s(ld,
'cn=test3,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Authenticated as: 'Ad\test3'.

Correct username, no password:
res = ldap_simple_bind_s(ld,
'cn=test3,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.

Correct username, wrong password:
res = ldap_simple_bind_s(ld,
'cn=test3,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Error : ldap_simple_bind_s() failed: Invalid Credentials
Server error: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1
Error 0x80090308 The token supplied to the function is invalid

Incorrect username, random password:
res = ldap_simple_bind_s(ld,
'cn=test5,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Error : ldap_simple_bind_s() failed: Invalid Credentials
Server error: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1
Error 0x80090308 The token supplied to the function is invalid

Incorrect username, no password:
res = ldap_simple_bind_s(ld,
'cn=test5,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.

So it's clearly a Microsoft problem but, i thinks, we need to patch
it. :-)

v.


Reply to this email directly or view it on GitHub
#36 (comment).

Owner

BorisMorel commented Sep 21, 2012

Hi,

I can't patch this because it's allowed to bind with an empty password ...
498d156

But it's very strange that Windows with empty password bind the user
with anonymous role. You can't configure your AD to prevent this fish ?

Regards,
Boris.

On 09/21/2012 07:40 AM, Vittore Zen wrote:

Here microsoft article: http://support.microsoft.com/kb/320528

And some tests:

Windows 2008r2 DC in 2008r2 domain level.
Correct username, correct password:
res = ldap_simple_bind_s(ld,
'cn=test3,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Authenticated as: 'Ad\test3'.

Correct username, no password:
res = ldap_simple_bind_s(ld,
'cn=test3,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.

Correct username, wrong password:
res = ldap_simple_bind_s(ld,
'cn=test3,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Error : ldap_simple_bind_s() failed: Invalid Credentials
Server error: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1
Error 0x80090308 The token supplied to the function is invalid

Incorrect username, random password:
res = ldap_simple_bind_s(ld,
'cn=test5,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Error : ldap_simple_bind_s() failed: Invalid Credentials
Server error: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1
Error 0x80090308 The token supplied to the function is invalid

Incorrect username, no password:
res = ldap_simple_bind_s(ld,
'cn=test5,cn=users,dc=ad,dc=virot,dc=test', ); // v.3
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.

So it's clearly a Microsoft problem but, i thinks, we need to patch
it. :-)

v.


Reply to this email directly or view it on GitHub
#36 (comment).

@inty

This comment has been minimized.

Show comment
Hide comment
@inty

inty Sep 21, 2012

Contributor

I use OpenLDAP and it's the same thing because I allow anonymous binds... maybe if you could check if the server allow anonymous binds somehow?

I use bind_anon_dn, if I used bind_anon_cred it would probably fix this issue, but either way I guess this still is an issue.

Contributor

inty commented Sep 21, 2012

I use OpenLDAP and it's the same thing because I allow anonymous binds... maybe if you could check if the server allow anonymous binds somehow?

I use bind_anon_dn, if I used bind_anon_cred it would probably fix this issue, but either way I guess this still is an issue.

@nymo

This comment has been minimized.

Show comment
Hide comment
@nymo

nymo Nov 6, 2012

Same issue here with Win2k3 Server....this is really critical. What about adding validation to the password field with check for NotBlank()?

Edit:
Better idea, what about making it configurable in the security.yml if you want to allow blank password fields or not?

nymo commented Nov 6, 2012

Same issue here with Win2k3 Server....this is really critical. What about adding validation to the password field with check for NotBlank()?

Edit:
Better idea, what about making it configurable in the security.yml if you want to allow blank password fields or not?

@BorisMorel

This comment has been minimized.

Show comment
Hide comment
@BorisMorel

BorisMorel Nov 7, 2012

Owner

Ok I check this. But the empty password is on the RFC 4510-4511.

Owner

BorisMorel commented Nov 7, 2012

Ok I check this. But the empty password is on the RFC 4510-4511.

@vittore

This comment has been minimized.

Show comment
Hide comment
@vittore

vittore Nov 26, 2012

I done a fork with a little patch to solve this Microsoft Active Directory "feature". If in composer you use zen/ldap-bundle otherwise imag/ldap-bundle you get a reject access when password lenght is zero.
Only changed file is LdapBundle/Manager/LdapManagerUser.php
So BorisMorel/LdapBundle is RFC compliant zen/LdapBundle is Microsoft compliant.

vittore commented Nov 26, 2012

I done a fork with a little patch to solve this Microsoft Active Directory "feature". If in composer you use zen/ldap-bundle otherwise imag/ldap-bundle you get a reject access when password lenght is zero.
Only changed file is LdapBundle/Manager/LdapManagerUser.php
So BorisMorel/LdapBundle is RFC compliant zen/LdapBundle is Microsoft compliant.

@nymo

This comment has been minimized.

Show comment
Hide comment
@nymo

nymo Nov 30, 2012

Nice one! I tried it out and it works like a charm. Is there a way to customise the error message via the yml file? Currently it says The LDAP authentication failed!

nymo commented Nov 30, 2012

Nice one! I tried it out and it works like a charm. Is there a way to customise the error message via the yml file? Currently it says The LDAP authentication failed!

@BorisMorel

This comment has been minimized.

Show comment
Hide comment
@BorisMorel

BorisMorel Dec 13, 2012

Owner

It's a bug to display the full message. In the futurs release i have corrected this. But in dev if you want display the full error message you can use hide_user_not_found parameter.

Owner

BorisMorel commented Dec 13, 2012

It's a bug to display the full message. In the futurs release i have corrected this. But in dev if you want display the full error message you can use hide_user_not_found parameter.

@BorisMorel

This comment has been minimized.

Show comment
Hide comment
@BorisMorel

BorisMorel Dec 14, 2012

Owner

@vittore Please doesn't remove the originals authors on the forked project into the composer.json.

Owner

BorisMorel commented Dec 14, 2012

@vittore Please doesn't remove the originals authors on the forked project into the composer.json.

@vittore

This comment has been minimized.

Show comment
Hide comment
@vittore

vittore Dec 14, 2012

Ok. I don't know what is the best solution.

This is composer.json:

"authors": [
{
"name": "Vittore Zen",
"email": "vittore@zen.pn.it",
"role": "Developer",
"homepage" : "https://github.com/vittore"
}
],

What is the best solutions?

v.

2012/12/14 BorisMorel notifications@github.com

@vittore https://github.com/vittore Please doesn't remove the originals
authors on the forked project into the composer.json.


Reply to this email directly or view it on GitHubhttps://github.com/BorisMorel/LdapBundle/issues/36#issuecomment-11375793.

vittore commented Dec 14, 2012

Ok. I don't know what is the best solution.

This is composer.json:

"authors": [
{
"name": "Vittore Zen",
"email": "vittore@zen.pn.it",
"role": "Developer",
"homepage" : "https://github.com/vittore"
}
],

What is the best solutions?

v.

2012/12/14 BorisMorel notifications@github.com

@vittore https://github.com/vittore Please doesn't remove the originals
authors on the forked project into the composer.json.


Reply to this email directly or view it on GitHubhttps://github.com/BorisMorel/LdapBundle/issues/36#issuecomment-11375793.

@BorisMorel

This comment has been minimized.

Show comment
Hide comment
@BorisMorel

BorisMorel Dec 17, 2012

Owner

Just keep the original authors and add you with fork maintainer role

"authors": [
{
"name": "Boris Morel",
"email": "boris.morel@imag.fr",
"role": "Developer",
"homepage" : "https://github.com/BorisMorel"
},
{
"name": "Juti Noppornpitak",
"email": "jutin@nationalfibre.net",
"role": "Fork Maintainer",
"homepage": "https://github.com/instaclick"
},
{
"name": "Shiroyuki",
"role": "Fork Maintainer",
"homepage": "https://github.com/shiroyuki"
}
],
Owner

BorisMorel commented Dec 17, 2012

Just keep the original authors and add you with fork maintainer role

"authors": [
{
"name": "Boris Morel",
"email": "boris.morel@imag.fr",
"role": "Developer",
"homepage" : "https://github.com/BorisMorel"
},
{
"name": "Juti Noppornpitak",
"email": "jutin@nationalfibre.net",
"role": "Fork Maintainer",
"homepage": "https://github.com/instaclick"
},
{
"name": "Shiroyuki",
"role": "Fork Maintainer",
"homepage": "https://github.com/shiroyuki"
}
],
@vittore

This comment has been minimized.

Show comment
Hide comment
@vittore

vittore Dec 17, 2012

Thanks for suggest. File composer.json changed:

https://github.com/vittore/LdapBundle/blob/master/composer.json

v.


Iscriviti al mio blog http://www.zen.pn.it

2012/12/17 BorisMorel notifications@github.com

authors

vittore commented Dec 17, 2012

Thanks for suggest. File composer.json changed:

https://github.com/vittore/LdapBundle/blob/master/composer.json

v.


Iscriviti al mio blog http://www.zen.pn.it

2012/12/17 BorisMorel notifications@github.com

authors

@colinmutter

This comment has been minimized.

Show comment
Hide comment
@colinmutter

colinmutter Jun 7, 2013

Just curious why this library can't perhaps have a setting at least which disallows unauthenticated bind.

http://tools.ietf.org/html/rfc4513#section-5.1.1

LDAP 4513 5.1.2 Unauthenticated Authentication Mechanism of Simple Bind

An LDAP client may use the unauthenticated authentication mechanism
of the simple Bind method to establish an anonymous authorization
state by sending a Bind request with a name value (a distinguished
name in LDAP string form [RFC4514] of non-zero length) and specifying
the simple authentication choice containing a password value of zero
length.

The distinguished name value provided by the client is intended to be
used for trace (e.g., logging) purposes only. The value is not to be
authenticated or otherwise validated (including verification that the
DN refers to an existing directory object). The value is not to be
used (directly or indirectly) for authorization purposes.

Unauthenticated Bind operations can have significant security issues
(see Section 6.3.1). In particular, users intending to perform
Name/Password Authentication may inadvertently provide an empty
password and thus cause poorly implemented clients to request
Unauthenticated access. Clients SHOULD be implemented to require
user selection of the Unauthenticated Authentication Mechanism by
means other than user input of an empty password. Clients SHOULD
disallow an empty password input to a Name/Password Authentication
user interface. Additionally, Servers SHOULD by default fail
Unauthenticated Bind requests with a resultCode of
unwillingToPerform.

Just curious why this library can't perhaps have a setting at least which disallows unauthenticated bind.

http://tools.ietf.org/html/rfc4513#section-5.1.1

LDAP 4513 5.1.2 Unauthenticated Authentication Mechanism of Simple Bind

An LDAP client may use the unauthenticated authentication mechanism
of the simple Bind method to establish an anonymous authorization
state by sending a Bind request with a name value (a distinguished
name in LDAP string form [RFC4514] of non-zero length) and specifying
the simple authentication choice containing a password value of zero
length.

The distinguished name value provided by the client is intended to be
used for trace (e.g., logging) purposes only. The value is not to be
authenticated or otherwise validated (including verification that the
DN refers to an existing directory object). The value is not to be
used (directly or indirectly) for authorization purposes.

Unauthenticated Bind operations can have significant security issues
(see Section 6.3.1). In particular, users intending to perform
Name/Password Authentication may inadvertently provide an empty
password and thus cause poorly implemented clients to request
Unauthenticated access. Clients SHOULD be implemented to require
user selection of the Unauthenticated Authentication Mechanism by
means other than user input of an empty password. Clients SHOULD
disallow an empty password input to a Name/Password Authentication
user interface. Additionally, Servers SHOULD by default fail
Unauthenticated Bind requests with a resultCode of
unwillingToPerform.

@ghost ghost assigned BorisMorel Jun 10, 2013

@yohannpoli

This comment has been minimized.

Show comment
Hide comment
@yohannpoli

yohannpoli Jul 24, 2013

Contributor

Same problem for me.

Any news about that issue ?

Maybe add an option for "password required" ?

Contributor

yohannpoli commented Jul 24, 2013

Same problem for me.

Any news about that issue ?

Maybe add an option for "password required" ?

@jeremylivingston

This comment has been minimized.

Show comment
Hide comment
@jeremylivingston

jeremylivingston Aug 14, 2013

Contributor

I agree that this is a pretty major issue. I don't think many people will know about this issue before using this code in production. This issue should at least be communicated in the README if it's not going to be fixed.

However, I do agree that this should be configurable. What is the reason for allowing the empty password in the first place? What is a use case where this would be wanted?

Edit: After doing a bit more research, I found that LDAP's simple authentication chooses to authenticate anonymously when a username is supplied without a password. This means that this bundle's behavior is wrong, since it is treating it as a successful authentication from that user. If the bundle were to authenticate to some anonymous role then it would make sense, but as it currently stands this is a major bug that yields unexpected results.

My proposal would be to reject requests that don't include a password, since they are not valid for that user. I can add this functionality back, but I want to make sure that everyone is on board.

Contributor

jeremylivingston commented Aug 14, 2013

I agree that this is a pretty major issue. I don't think many people will know about this issue before using this code in production. This issue should at least be communicated in the README if it's not going to be fixed.

However, I do agree that this should be configurable. What is the reason for allowing the empty password in the first place? What is a use case where this would be wanted?

Edit: After doing a bit more research, I found that LDAP's simple authentication chooses to authenticate anonymously when a username is supplied without a password. This means that this bundle's behavior is wrong, since it is treating it as a successful authentication from that user. If the bundle were to authenticate to some anonymous role then it would make sense, but as it currently stands this is a major bug that yields unexpected results.

My proposal would be to reject requests that don't include a password, since they are not valid for that user. I can add this functionality back, but I want to make sure that everyone is on board.

@yohannpoli

This comment has been minimized.

Show comment
Hide comment
@yohannpoli

yohannpoli Aug 19, 2013

Contributor

Any news on that issue?

Contributor

yohannpoli commented Aug 19, 2013

Any news on that issue?

@vittore

This comment has been minimized.

Show comment
Hide comment
@vittore

vittore Aug 19, 2013

You can use my fork.: in composer use zen/ldap-bundle otherwise imag/ldap-bundle.
Only changed file is LdapBundle/Manager/LdapManagerUser.php
So BorisMorel/LdapBundle is RFC compliant and zen/LdapBundle is Microsoft compliant.

v.

vittore commented Aug 19, 2013

You can use my fork.: in composer use zen/ldap-bundle otherwise imag/ldap-bundle.
Only changed file is LdapBundle/Manager/LdapManagerUser.php
So BorisMorel/LdapBundle is RFC compliant and zen/LdapBundle is Microsoft compliant.

v.

@yohannpoli

This comment has been minimized.

Show comment
Hide comment
@yohannpoli

yohannpoli Aug 19, 2013

Contributor

Can you pleaze merge your update with the latest version of the BorisMorel/LdapBundle ?

It seems that IMAG\LdapBundle\Manager\LdapManagerUser is different from the master branch (getLdapUser() from #45)

Contributor

yohannpoli commented Aug 19, 2013

Can you pleaze merge your update with the latest version of the BorisMorel/LdapBundle ?

It seems that IMAG\LdapBundle\Manager\LdapManagerUser is different from the master branch (getLdapUser() from #45)

@jeremylivingston

This comment has been minimized.

Show comment
Hide comment
@jeremylivingston

jeremylivingston Aug 21, 2013

Contributor

I don't think that this is a matter of this bundle being "RFC-compliant". This bundle's functionality is inherently wrong.

RFC-compliance states that when a password is not supplied, it should be treated as an anonymous authentication. This bundle treats it as a successful authentication for the provided user, even though it was bound to LDAP anonymously. This is very wrong and a major bug.

Again, I propose that any request without a password should be rejected, since users in Symfony are already anonymously authenticated. I'm currently using my own fork of this bundle, but it would be nice to be able to use this one again.

Contributor

jeremylivingston commented Aug 21, 2013

I don't think that this is a matter of this bundle being "RFC-compliant". This bundle's functionality is inherently wrong.

RFC-compliance states that when a password is not supplied, it should be treated as an anonymous authentication. This bundle treats it as a successful authentication for the provided user, even though it was bound to LDAP anonymously. This is very wrong and a major bug.

Again, I propose that any request without a password should be rejected, since users in Symfony are already anonymously authenticated. I'm currently using my own fork of this bundle, but it would be nice to be able to use this one again.

@yohannpoli

This comment has been minimized.

Show comment
Hide comment
@yohannpoli

yohannpoli Aug 22, 2013

Contributor

+1

Contributor

yohannpoli commented Aug 22, 2013

+1

@vittore

This comment has been minimized.

Show comment
Hide comment
@vittore

vittore Aug 22, 2013

+1


Scusate la brevità di questo messaggio ma è stato inviato da un dispositivo
mobile compatto.
Grazie.
Il giorno 21/ago/2013 20:03, "Jeremy Livingston" notifications@github.com
ha scritto:

I don't think that this is a matter of this bundle being "RFC-compliant".
This bundle's functionality is inherently wrong.

RFC-compliance states that when a password is not supplied, it should be
treated as an anonymous authentication. This bundle treats it as a *
successful* authentication for the provided user, even though it was
bound to LDAP anonymously. This is very wrong and a major bug.

Again, I propose that any request without a password should be rejected,
since users in Symfony are already anonymously authenticated. I'm currently
using my own fork of this bundle, but it would be nice to be able to use
this one again.


Reply to this email directly or view it on GitHubhttps://github.com/BorisMorel/LdapBundle/issues/36#issuecomment-23036824
.

vittore commented Aug 22, 2013

+1


Scusate la brevità di questo messaggio ma è stato inviato da un dispositivo
mobile compatto.
Grazie.
Il giorno 21/ago/2013 20:03, "Jeremy Livingston" notifications@github.com
ha scritto:

I don't think that this is a matter of this bundle being "RFC-compliant".
This bundle's functionality is inherently wrong.

RFC-compliance states that when a password is not supplied, it should be
treated as an anonymous authentication. This bundle treats it as a *
successful* authentication for the provided user, even though it was
bound to LDAP anonymously. This is very wrong and a major bug.

Again, I propose that any request without a password should be rejected,
since users in Symfony are already anonymously authenticated. I'm currently
using my own fork of this bundle, but it would be nice to be able to use
this one again.


Reply to this email directly or view it on GitHubhttps://github.com/BorisMorel/LdapBundle/issues/36#issuecomment-23036824
.

@BorisMorel

This comment has been minimized.

Show comment
Hide comment
@BorisMorel

BorisMorel Aug 22, 2013

Owner

Ok ; Need to be fixed

Owner

BorisMorel commented Aug 22, 2013

Ok ; Need to be fixed

@BorisMorel

This comment has been minimized.

Show comment
Hide comment
@BorisMorel

BorisMorel Oct 9, 2013

Owner

It's now fixed on the master branch

Owner

BorisMorel commented Oct 9, 2013

It's now fixed on the master branch

JStumpp added a commit to JStumpp/docker-rancher-openvpn that referenced this issue Aug 22, 2016

Check for empty password
A correct username with an empty password can successfully be bound to a default Active Directory configuration. This check for an empty password prevents this security issue.
Here some tests wit AD authentication: BorisMorel/LdapBundle#36 (comment)

@JStumpp JStumpp referenced this issue in mdnsfr/docker-rancher-openvpn Aug 22, 2016

Open

Check for empty password #5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment