[Date Prev][Date Next]
Re: LDAP bind with blank password
This behavior is defined by the design of ldap
It is described in RFC2829, but most clearly stated in
An LDAP client MAY also choose to explicitly bind anonymously. A
client that wishes to do so MUST choose the simple authentication
option in the Bind Request (see section 4.1) and set the password to
be of zero length. (This is often done by LDAPv2 clients.) Typically
the name is also of zero length.
> >>> Pierangelo Masarati <firstname.lastname@example.org> 12/10/01 11:52AM
> > Hi again,
> > I just noticed that ldapd considers a bind where a bind DN is
> > where a blank password is given to be anonymous given some kind of
> > permissions for anonymous. Is that how it is supposed to work?
> > The reason for asking is that I wrote some authentication code that
> > simple bind with dn and password to authenticate users and was
> > surprised that the bind call returned zero with an incorrect
> > course this is easily fixable by just disallowing blank passwords
> > code but I'd still like to know why things were designed like
> A bind with a DN but with an empty password is equivalent to an
> bind, while a bind with a DN and with a wrong password is not; the
> for obvious reasons, is rejected.
> I don't know why it was designed this way, though.