[Date Prev][Date Next] [Chronological] [Thread] [Top]

unauthenticated bind

To: ietf-ldapbis@OpenLDAP.org
Subject: unauthenticated bind
From: Chris Newman <Chris.Newman@Sun.COM>
Date: Tue, 11 Nov 2003 13:43:20 -0600
Content-disposition: inline

LDAP is often used as the authentication store for other services (e.g., mail
services).  These services use LDAP to validate passwords.

I have seen many cases where shipping software does a simple bind to test if a
user's password is valid and due to unauthenticated bind, this will always
succeed with an empty password and allow an attacker to access every account.

The example code in Tim Howe's book for exactly this purpose has exactly this
bug, so we will never get rid of this security hole in LDAP by fixing the
client code because we'll always have new client code with this bug.

The only way to fix this LDAP security hole properly is to disallow
unauthenticated bind on the server (I have no problem with anonymous bind).

Currently, this text is buried in the security considerations section of the
authmeth draft with a fairly weak "SHOULD".

The requirement should be in section 6.1 of authmeth and should be a "MUST by
default reject authentication requests that have a DN with an empty password".

                - Chris

Prev by Date: passwords in the clear
Next by Date: Re: passwords in the clear
Index(es):
- Chronological
- Thread