[Date Prev][Date Next] [Chronological] [Thread] [Top]

Bind accepts any password where the real password is a prefix?


We are running OpenLDAP at our organization to do authentication for
Linux machines.  One strange thing I noticed is that I can bind to the
server using my password, or *any* password that contains my actual
password as a prefix.  Let me explain with an example.

Suppose my password is "banana" (it's not).  Then these passwords work
to bind to the database:
- banana
- banana2
- bananafjksdfs

But these won't work:
- mbanana
- banan

I'm testing this with this command:
ldapsearch -x -W -ZZ -H ldap://<server_address>.com \
    -b dc=mydomain,dc=com \
    -D 'uid=<my_uid>,ou=people,dc=mydomain,dc=com' \

Any ideas about why this happens? Thanks.

 -- Chris