[Date Prev][Date Next] [Chronological] [Thread] [Top]

Bind accepts any password where the real password is a prefix?

To: openldap-technical@openldap.org
Subject: Bind accepts any password where the real password is a prefix?
From: Christopher Kenna <cjkenna@gmail.com>
Date: Tue, 26 Jan 2010 14:17:58 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=3qSeLlSMq4oX2rafoJBH/YBDglBUh4cDU9HqYo9YtGk=; b=FWId+zPnmCd4SkZqVEIr1M8pfaTJxODEQ+aqeAKg8JhZ5SixXMMkndhvBzr5AfElnD V2pkPZZDjHWh7hXU/4gP5ALPPNhp5KTCk0Q4VHTAu0Xvm1DCwCps+Xv1kcJ3ba/LgqwK ZNdRRRtrptLfw2pMu3d4uyLJEv9J0LwqU+Kcs=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=JDRxjC23HtMPWs9qSy3OHRPwbolY2rBVvknkin9CM2Ty/H99xOIlKaVKfKxrNJD6W9 HwsNlEVt2mZaenxLTPYLubQ2U0nNsAcSDxKy2UB3K5JTcvWKcQVn9J61peQfiZg6kNlJ 0PvwaIWAuxFzelgM9xGNN7WRcAsxz8BRjJleU=

Greetings,

We are running OpenLDAP at our organization to do authentication for
Linux machines.  One strange thing I noticed is that I can bind to the
server using my password, or *any* password that contains my actual
password as a prefix.  Let me explain with an example.

Suppose my password is "banana" (it's not).  Then these passwords work
to bind to the database:
- banana
- banana2
- bananafjksdfs

But these won't work:
- mbanana
- banan

I'm testing this with this command:
ldapsearch -x -W -ZZ -H ldap://<server_address>.com \
    -b dc=mydomain,dc=com \
    -D 'uid=<my_uid>,ou=people,dc=mydomain,dc=com' \
    '(uid=<my_uid>)'

Any ideas about why this happens? Thanks.

 -- Chris

Follow-Ups:
- Re: Bind accepts any password where the real password is a prefix?
  - From: Edward Capriolo <edlinuxguru@gmail.com>

Prev by Date: Re: LDAP logging
Next by Date: Re: LDAP logging
Index(es):
- Chronological
- Thread