[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5547) JLDAP: unauthenticated bind silently converted to anonymous bind



Full_Name: Johannes Geiger
Version: n/a
OS: Windows, Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (62.245.172.60)


While the documentation of JLDAP states that only authenticated and anonymous
bind are supported, JLDAP silently converts an unauthenticated bind to an
anonymous one. 

>From LDAPconnection.java

        boolean anonymous = false;
        if( passwd.length == 0) {
            anonymous = true; // anonymous, passwd length zero with simple bind
            dn = "";          // set to null if anonymous
        }

(I even think there is a bug in this, as the flag "anonymous" stays on false, if
there is a password given but no dn.)

This is in fact a security issue, as - while unauthenticated bind usually is
forbidden by the server, anonymous bind is allowed - the client using bind for
authentication reasons might be led to believe in successful authentication
whereas the server only accepted an anonymous bind and did not do any credential
verification.