Defect #714
LDAP authentication without password
| Status: | Closed | Start date: | 2008-02-22 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | Accounts / authentication | |||
| Target version: | 0.7 | |||
| Affected version: | 0.6.3 | Resolution: | Fixed |
Description
I configured LDAP authentication using ActiveDirectory.
Users are able to log in by their username/password, but they also can log in with empty password.
If they enter wrong password (which is not an empty string) they got the "Invalid user or password" message.
I think the problem is in ruby-net-ldap. It is used in /app/models/auth_source_ldap.rb around line 50:
# authenticate userldap_con = initialize_ldap_con(dn, password)return nil unless ldap_con.bind
ldap_con.bind returns true when empty string was given as password.
Redmine version: v0.6.3
ruby-net-ldap version: 0.0.4
History
Updated by Sven Schuchmann almost 4 years ago
You are right. The same thing here.
Authentication againt a Novell eDirecoty (LDAP)
with an empty password let's everyone in...
Updated by Witold Oleksiak almost 4 years ago
Confirmed - the same behavior when authenticating against MS Active Directory...
Updated by Jean-Philippe Lang almost 4 years ago
- Status changed from New to Resolved
- Resolution set to Fixed
I can not reproduce this problem with openldap. Anyway, the fix is committed in trunk (r1169) and 0.6 branch (r1170).
0.6.3 users can apply this patch to fix it:
http://www.redmine.org/repositories/diff/redmine?rev=1170
Updated by Tibor Toth almost 4 years ago
Thank you, the fix is working.
Updated by Jean-Philippe Lang almost 4 years ago
- Status changed from Resolved to Closed
- Target version set to 0.7