[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP bind with blank password

To: <masarati@aero.polimi.it>, <erik@roxen.com>
Subject: Re: LDAP bind with blank password
From: "Steve Sonntag" <vtag@novell.com>
Date: Mon, 10 Dec 2001 12:51:39 -0700
Cc: <openldap-software@OpenLDAP.org>
Content-disposition: inline

This behavior is defined by the design of ldap

It is described in RFC2829, but most clearly stated in
draft-ietf-ldapbis-authmeth

   An LDAP client MAY also choose to explicitly bind anonymously. A 
   client that wishes to do so MUST choose the simple authentication 
   option in the Bind Request (see section 4.1) and set the password to

   be of zero length. (This is often done by LDAPv2 clients.) Typically

   the name is also of zero length.  

-Steve
> 
> >>> Pierangelo Masarati <masarati@aero.polimi.it> 12/10/01 11:52AM
>>>
> > Hi again,
> > 
> > I just noticed that ldapd considers a bind where a bind DN is
supplied but
> > where a blank password is given to be anonymous given some kind of
read
> > permissions for anonymous. Is that how it is supposed to work?
> > 
> > The reason for asking is that I wrote some authentication code that
uses a
> > simple bind with dn and password to authenticate users and was
somewhat
> > surprised that the bind call returned zero with an incorrect
password.  Of
> > course this is easily fixable by just disallowing blank passwords
in my
> > code but I'd still like to know why things were designed like
that.
> 
> A bind with a DN but with an empty password is equivalent to an
anonymous
> bind, while a bind with a DN and with a wrong password is not; the
latter,
> for obvious reasons, is rejected.
> 
> I don't know why it was designed this way, though.
> 
> Pierangelo.

Prev by Date: Re: FW: Netmeeting Directory Kit
Next by Date: openldap compile w/ TLS on solaris 8
Index(es):
- Chronological
- Thread