[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP bind with blank password

This behavior is defined by the design of ldap

It is described in RFC2829, but most clearly stated in

   An LDAP client MAY also choose to explicitly bind anonymously. A 
   client that wishes to do so MUST choose the simple authentication 
   option in the Bind Request (see section 4.1) and set the password to

   be of zero length. (This is often done by LDAPv2 clients.) Typically

   the name is also of zero length.  

> >>> Pierangelo Masarati <masarati@aero.polimi.it> 12/10/01 11:52AM
> > Hi again,
> > 
> > I just noticed that ldapd considers a bind where a bind DN is
supplied but
> > where a blank password is given to be anonymous given some kind of
> > permissions for anonymous. Is that how it is supposed to work?
> > 
> > The reason for asking is that I wrote some authentication code that
uses a
> > simple bind with dn and password to authenticate users and was
> > surprised that the bind call returned zero with an incorrect
password.  Of
> > course this is easily fixable by just disallowing blank passwords
in my
> > code but I'd still like to know why things were designed like
> A bind with a DN but with an empty password is equivalent to an
> bind, while a bind with a DN and with a wrong password is not; the
> for obvious reasons, is rejected.
> I don't know why it was designed this way, though.
> Pierangelo.