New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP authentication against Active Directory allows empty passwords #173

Closed
danlii opened this Issue Oct 2, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@danlii

danlii commented Oct 2, 2017

An LDAP bind with empty password against an Active Directory gets "translated" to an anonymous bind, like so:
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.
Depending on the LDAP client, this is interpreted as a successful bind with the correct username, and this is the case with the tcllib ldap module. To prevent logins with empty passwords in Netmagis, we would need to prevent empty passwords altogether, at least when the LDAP server is an Active Directory.

@pdav

This comment has been minimized.

Show comment
Hide comment
@pdav

pdav Oct 2, 2017

Collaborator

According to RFC 4513, section 5.1.2, LDAP authentication falls back to "unauthenticated bind" when given an empty password. This seems to be perfectly legal, albeit absurd.
User authentication needs to be blocked when an empty password is given.

Collaborator

pdav commented Oct 2, 2017

According to RFC 4513, section 5.1.2, LDAP authentication falls back to "unauthenticated bind" when given an empty password. This seems to be perfectly legal, albeit absurd.
User authentication needs to be blocked when an empty password is given.

@pdav pdav self-assigned this Oct 2, 2017

@pdav pdav added the bug label Oct 2, 2017

@pdav pdav added this to the v2.3.4 milestone Oct 2, 2017

pdav added a commit that referenced this issue Oct 6, 2017

@pdav

This comment has been minimized.

Show comment
Hide comment
@pdav

pdav Oct 6, 2017

Collaborator

Release 2.3.4 is now published.
Thanks for your report.

Collaborator

pdav commented Oct 6, 2017

Release 2.3.4 is now published.
Thanks for your report.

@pdav pdav closed this Oct 6, 2017

uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Mar 11, 2018

riggs
Update to upstream version 2.3.4
Details:
- Fix issue where LDAP login with empty passwort
  was possible, see
  netmagis/netmagis#173
- Fix LICENSE*
- Pet portlint

PR:		226437
Submitted by:	dgeo@centrale-marseille.fr
Approved by:	pdagog@gmail.com (maintainer)
MFH:		2018Q1


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@464190 35697150-7ecd-e111-bb59-0022644237b5

uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Mar 11, 2018

MFH: r464190
Update to upstream version 2.3.4

Details:
- Fix issue where LDAP login with empty passwort
  was possible, see
  netmagis/netmagis#173
- Fix LICENSE*
- Pet portlint

PR:		226437
Submitted by:	dgeo@centrale-marseille.fr
Approved by:	pdagog@gmail.com (maintainer)

Approved by:	ports-secteam (riggs)

uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Mar 11, 2018

Update to upstream version 2.3.4
Details:
- Fix issue where LDAP login with empty passwort
  was possible, see
  netmagis/netmagis#173
- Fix LICENSE*
- Pet portlint

PR:		226437
Submitted by:	dgeo@centrale-marseille.fr
Approved by:	pdagog@gmail.com (maintainer)
MFH:		2018Q1

Jehops pushed a commit to Jehops/freebsd-ports that referenced this issue Mar 11, 2018

Update to upstream version 2.3.4
Details:
- Fix issue where LDAP login with empty passwort
  was possible, see
  netmagis/netmagis#173
- Fix LICENSE*
- Pet portlint

PR:		226437
Submitted by:	dgeo@centrale-marseille.fr
Approved by:	pdagog@gmail.com (maintainer)
MFH:		2018Q1


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@464190 35697150-7ecd-e111-bb59-0022644237b5

mat813 pushed a commit to mat813/freebsd-ports that referenced this issue Mar 12, 2018

riggs
Update to upstream version 2.3.4
Details:
- Fix issue where LDAP login with empty passwort
  was possible, see
  netmagis/netmagis#173
- Fix LICENSE*
- Pet portlint

PR:		226437
Submitted by:	dgeo@centrale-marseille.fr
Approved by:	pdagog@gmail.com (maintainer)
MFH:		2018Q1


git-svn-id: https://svn.freebsd.org/ports/head@464190 35697150-7ecd-e111-bb59-0022644237b5

mat813 pushed a commit to mat813/freebsd-ports that referenced this issue Mar 12, 2018

riggs
MFH: r464190
Update to upstream version 2.3.4

Details:
- Fix issue where LDAP login with empty passwort
  was possible, see
  netmagis/netmagis#173
- Fix LICENSE*
- Pet portlint

PR:		226437
Submitted by:	dgeo@centrale-marseille.fr
Approved by:	pdagog@gmail.com (maintainer)

Approved by:	ports-secteam (riggs)


git-svn-id: https://svn.freebsd.org/ports/branches/2018Q1@464191 35697150-7ecd-e111-bb59-0022644237b5

swills pushed a commit to swills/freebsd-ports that referenced this issue Mar 12, 2018

Update to upstream version 2.3.4
Details:
- Fix issue where LDAP login with empty passwort
  was possible, see
  netmagis/netmagis#173
- Fix LICENSE*
- Pet portlint

PR:		226437
Submitted by:	dgeo@centrale-marseille.fr
Approved by:	pdagog@gmail.com (maintainer)
MFH:		2018Q1


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@464190 35697150-7ecd-e111-bb59-0022644237b5

mat813 pushed a commit to mat813/freebsd-ports that referenced this issue Jul 9, 2018

MFH: r464190
Update to upstream version 2.3.4

Details:
- Fix issue where LDAP login with empty passwort
  was possible, see
  netmagis/netmagis#173
- Fix LICENSE*
- Pet portlint

PR:		226437
Submitted by:	dgeo@centrale-marseille.fr
Approved by:	pdagog@gmail.com (maintainer)

Approved by:	ports-secteam (riggs)


git-svn-id: https://svn.freebsd.org/ports/branches/2018Q1@464191 35697150-7ecd-e111-bb59-0022644237b5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment