[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How to fix blank password problem

At 04:52 AM 10/4/2005, Roman K. Gagarskiy wrote:
>The problem is that if I'm trying to authenticate a user with blank password
>OpenLDAP logs in anonymously. Is there a way to make difference between
>anonymous bind and bind with real dn but blank password? I actually don't
>need anonymous bind. I need only authenticate real users but some of them
>would like to have blank passwords.

In LDAP, users (using simple password authentication) must have
non-empty passwords as an empty password field is used
to request "anonymous" (without DN) or "unauthenticated"
(with DN) access.  In the latter case, the provided DN is
considered trace information (e.g., for logging),
it has no significance otherwise.  (Much like the
"trace information" sent in SASL ANONYMOUS requests.)

In the current slapd(8), if a DN is provided with an empty
password, the server will error by default.  This is intended
to warn users with (non-empty) passwords that they they
provided no password and hence have anonymous access.
You can allow such requests (DN with empty passwords) be
successfully accepted, but there is no facility to
treat such requests as a request for authenticated
access (as per the protocol they are requests for
"unauthenticated" access).


>There are some links to similar threads:
>Best regards, Roman K. Gagarskiy
>Cellular: +7-921-743-4638
>ICQ: 11655062
>Yahoo: roman_gagarski
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>> Sent: Tuesday, October 04, 2005 3:38 PM
>> To: Roman K. Gagarskiy
>> Cc: openldap-software@OpenLDAP.org
>> Subject: Re: How to fix blank password problem
>> At 03:43 AM 10/4/2005, Roman K. Gagarskiy wrote:
>> >I'm working with OpenLDAP from Java. The requirements are so that I need
>> to
>> >support blank passwords for the users. I have found a message in this
>> list
>> >that there was a patch fixing problem with "blank password". Could
>> someone
>> >please give me the link to this patch?
>> What is the "blank password problem"?  A reference
>> to the archived list message would be useful.
>> Kurt