[Date Prev][Date Next] [Chronological] [Thread] [Top]

Empty password string (ITS#423)

Full_Name: Lim Swee Tat
Version: 1.2.8
OS: Solaris
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

  I noticed the following error.

  I did a batch job to update the LDAP server with some RDBMS data once in a
  The result was that once, some of the entries probably cocked up.  The
  field now contains "{CRYPT}".  There is no other strings attached.  The usual

  userpassword field contains "{CRYPT}afl;kj!@fslkjf".  (Dun try to decrypt
this, it's
  just random keys.... 8) ).

  What happened was that a user was able to log in to the system with no

  In case you were wondering, my acl is as follows:
defaultaccess   none
## objectClass
access          to attr=objectclass
                by self read
                by * search
# entry
access          to attr=entry
                by self read
                by dn=".*,ou=PEOPLE,o=NCS,c=SG" read
                by * read
## uid
access          to attr=uid
                by self read
                by dn=".*,ou=PEOPLE,o=NCS,c=SG" read
                by * search
## mail
access          to attr=mail
                by self write
                by dn=".*,ou=PEOPLE,o=NCS,c=SG" read
                by * search
## userpassword
access          to attr=userpassword
                by dn="uid=DIRADMIN,ou=PEOPLE,o=NCS,c=SG" write
                by self write
                by * none
I've tried to change the value of "by * read" to "by * search" for the attr
but some of the systems relying on the ldap for authentication just fail.  This
ACL works... That is, a valid user with a valid password is able to authenticate
the system without a problem.  Invalid passwords get rejected.  Yet, for this
rather unusual case, the invalid passwords do not even get rejected.

Hope there's a solution.

ST Lim