Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bind operation with empty password doesn't throw exception #229

Closed
aleksvujic opened this issue May 26, 2023 · 1 comment
Closed

Bind operation with empty password doesn't throw exception #229

aleksvujic opened this issue May 26, 2023 · 1 comment

Comments

@aleksvujic
Copy link

We are using .NET 7 and Novell.Directory.Ldap.NETStandard 3.6.0. We have the following code snippet for validating username and password against an LDAP server:

try
{
  using (var connection = new LdapConnection(ldapOptions) { SecureSocketLayer = true, ConnectionTimeout = timeoutMs })
  {
    connection.Connect(ldapServer.Url, ldapServer.Port);

    _logger.LogInformation($"Connection to LDAP server {ldapServer} succeeded");

    connection.Bind(usernameWithDomain, string.Empty);

    if (connection.Bound)
    {
      _logger.LogInformation($"User {usernameWithDomain} LDAP bind successfull (Password verification passed).");
      return PasswordVerificationResultExtended.Success;
    }
  }
}
catch (LdapException ex)
{
  if (ex.ResultCode == LdapException.ServerDown || ex.ResultCode == LdapException.ConnectError)
  {
    _logger.LogError($"Error during LDAP connect/bind! User={usernameWithDomain}, Server={ldapServer}, Error={ex.Message}");
    return PasswordVerificationResultExtended.Failed;
  }
  else if (ex.ResultCode == LdapException.InvalidCredentials)
  {
    _logger.LogError($"Username {usernameWithDomain} and password don't match!");
    return PasswordVerificationResultExtended.Failed;
  }
  else
  {
    _logger.LogError($"Error during LDAP connect/bind! User={usernameWithDomain}, Server={ldapServer}, Error={ex.Message}");
    return PasswordVerificationResultExtended.Failed;
  }
}
catch (Exception ex)
{
  _logger.LogError($"Error during LDAP connect/bind! User={usernameWithDomain}, Server={ldapServer}, Error={ex.Message}");
  return PasswordVerificationResultExtended.Failed;
}

Pay attention to the connection.Bind(usernameWithDomain, string.Empty); line. I would expect that an exception with LdapException.InvalidCredentials result code would be thrown in such case. Instead, only connection.Bound field is set to false.

Is this a bug?
@klasen
Copy link

klasen commented Jun 9, 2023

Zero length passwords are used in Unauthenticated Simple Binds:
https://www.rfc-editor.org/rfc/rfc4513#section-5.1.2

@klasen klasen mentioned this issue Jun 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@klasen @aleksvujic