New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Active directory login accepted with empty string as password using sample application #9
Comments
This is an issue. It is a common issue among LDAP client implementations. It is documented here: http://tools.ietf.org/html/rfc4513#section-6.3.1 in RFC-4513. The quick summary is that if the LDAP server is configured to allow what is called "Unauthenticated Authentication" a bind request with an empty password will be authenticated. The best practice on the server side is to not allow this: http://www.ldapguru.info/ldap/authentication-best-practices.html However, on the client side, in order to use LDAP for the purposes of authentication, only bind requests with greater than zero length passwords should be allowed as to only ever allow "authenticated" bind requests. @ericrasmussen or I will be submitting a pull request shortly. |
Added check for zero length password w/ tests and docs (Fixes Issue #9)
Allowing or disallowing bind attempts with a DN and an empty password is an LDAP server setting and should remain the LDAP server administrator's responsibility. It's not up to a middleware package such as pyramid_ldap to force a policy here. The merge should never have been done and the issue rejected. This is not a pyramid_ldap issue, just a LDAP server configuration. |
Closing due to already-merged. |
I want to clarify information for the record in case this issue comes under review in the future. @dataflake: Please read this section of the LDAP rfc: http://tools.ietf.org/html/rfc4513#section-6.3.1 . While you are correct that this issue can be resolved on the LDAP server side by configuring LDAP to not allow unauthenticated binds, the RFC clearly calls out that client code can and should be aware of unauthenticated binds and should not use them for user authentication. It specifically describes implementing this on the client side by not allowing users to "authenticate" with a zero-length password. There are legitimate cases for allowing unauthenticated binds while still using LDAP to do proper authentication in which case it does become the client's job to differentiate between a bind and an "authentication." Thankfully, pyramid_ldap has a specific function for "authentication" which is where this patch was applied. To disallow empty passwords in a "bind" operation on the client side would be a mistake but that is not what was done in this patch. |
While trying to implement active directory auth with pyramid_ldap for a pyramid project, I came across an issue which I can replicate using code from the sample app.
When adapting the code to authenticate using our AD domain controller, any existing username can successfully log in using the empty string as password.
To replicate:
Can anyone confirm this or am I missing something?
The text was updated successfully, but these errors were encountered: