Defect #714

LDAP authentication without password

Added by Tibor Toth 154 days ago. Updated 117 days ago.

Status:Closed Start:2008-02-22
Priority:High Due date:
Assigned to:- % Done:

0%
Category:Accounts
Target version:0.7
Affected version:

0.6.3

 Resolution:

Fixed

Description

I configured LDAP authentication using ActiveDirectory.

Users are able to log in by their username/password, but they also can log in with empty password.

If they enter wrong password (which is not an empty string) they got the "Invalid user or password" message.

I think the problem is in ruby-net-ldap. It is used in /app/models/auth_source_ldap.rb around line 50:

# authenticate user
ldap_con = initialize_ldap_con(dn, password)
return nil unless ldap_con.bind

ldap_con.bind returns true when empty string was given as password.

Redmine version: v0.6.3
ruby-net-ldap version: 0.0.4

Associated revisions

Revision 1169
Added by jplang 153 days ago

Fixed: LDAP authentication without password may be possible (#714).

Revision 1199
Added by jplang 140 days ago

Fix LDAP authentication (#714, broken by r1194).

History

2008-02-22 15:32 - Sven Schuchmann

You are right. The same thing here.
Authentication againt a Novell eDirecoty (LDAP)
with an empty password let's everyone in...

2008-02-22 17:13 - Witold Oleksiak

Confirmed - the same behavior when authenticating against MS Active Directory...

2008-02-22 18:34 - Jean-Philippe Lang

  • Status changed from New to Resolved
  • Resolution set to Fixed

I can not reproduce this problem with openldap. Anyway, the fix is committed in trunk (r1169) and 0.6 branch (r1170).

0.6.3 users can apply this patch to fix it:
http://www.redmine.org/repositories/diff/redmine?rev=1170

2008-02-25 10:36 - Tibor Toth

Thank you, the fix is working.

2008-03-30 00:01 - Jean-Philippe Lang

  • Status changed from Resolved to Closed
  • Target version set to 0.7

Also available in: Atom PDF