Re: LDAP bind with blank password

[Pierangelo Masarati <masarati@aero.polimi.it>]

Daniel Tiefnig wrote:
> 
> Pierangelo Masarati wrote...:
> >>
> >> I just noticed that ldapd considers a bind where a bind DN is
> >> supplied but where a blank password is given to be anonymous given
> >> some kind of read permissions for anonymous. Is that how it is
> >> supposed to work?
> >
> > A bind with a DN but with an empty password is equivalent to an
> > anonymous bind, while a bind with a DN and with a wrong password is
> > not; the latter, for obvious reasons, is rejected.
> 
> going farther, i'd say a bind with a DN that isn't in the DB without any
> or with an arbitrary password (of course wrong/correct doesn't apply
> here) is considerd to be anonymous bind.. at least for opwnldap1.2.X, i
> think i remember there was a change with openldap2.0, but i'm not sure
> about that now..
> comments?

If the dn refers to a naming context that is not held by the DSA,
if a referral is available it is returned, otherwise a 
LDAP_INVALID_CREDENTIALS error is returned.

If the dn is not in the database, no referrals can be determined for
such entry and it is not the rootdn, then LDAP_INVALID_CREDENTIALS
is returned.

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati