-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bind and bind_as methods return results if a empty password is submitted #5
Comments
Comment by Rubyforge user bidon on 2007-08-31: That's not the Net::LDAP fault. Any LDAP server that allow anonymous |
I agree with bidon. LDAP servers will allow a bind with no password if so configured. It is normal to allow anonymous binding. |
At the very least, please document this behavior in the bind and bind_as method documentation. |
Note that this also applies for an empty username (dn). |
From the spec, as @jzinn points out:
Perhaps we should explicitly require a password or introduce a separate method for Unauthenticated authentication/bind operations ( |
Separate methods sounds good. This we match up (http://www.openldap.org/doc/admin24/security.html) 14.3 better too. This would be the final step to version 1.0 according to semver ;) |
+1 |
I agree that the documentation definitely needs to at least mention this:
It makes it sound like it only returns the user if you authenticated as that user. Just been burned by this. I assume the workaround is to do something like |
My solution was to just check whether the username or password are blank before even sending the authentication request. If either are blank, then I just immediately fail the login attempt. |
Originally submitted as issue 8591 on RubyForge on 2007-02-13.
bind and bind_as return results if a empty password is submitted. If a incorrect password is given it fails. However
to my mind, if you don't provide a password the bind should fail. I think this is a bug. The code below follows the
example code.
Here is the code that I've run to test. As you can see by the result, this ends up returning the same results regardless
if you enter a password or if you enter the correct pass. You only get a failure when you enter the incorrect password.
The text was updated successfully, but these errors were encountered: