LDAP authentication without password
I configured LDAP authentication using ActiveDirectory.
Users are able to log in by their username/password, but they also can log in with empty password.
If they enter wrong password (which is not an empty string) they got the "Invalid user or password" message.
I think the problem is in ruby-net-ldap. It is used in
/app/models/auth_source_ldap.rb around line 50:
# authenticate user
ldap_con = initialize_ldap_con(dn, password)
return nil unless ldap_con.bind
ldap_con.bind returns true when empty string was given as password.
Redmine version: v0.6.3
ruby-net-ldap version: 0.0.4
Updated by Jean-Philippe Lang over 15 years ago
- Status changed from New to Resolved
- Resolution set to Fixed
0.6.3 users can apply this patch to fix it: