You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Tobias Bocanegra (JIRA)" <ji...@apache.org> on 2014/09/07 07:16:29 UTC
[jira] [Created] (OAK-2078) Prevent null passwords in ldap provider
Tobias Bocanegra created OAK-2078:
-------------------------------------
Summary: Prevent null passwords in ldap provider
Key: OAK-2078
URL: https://issues.apache.org/jira/browse/OAK-2078
Project: Jackrabbit Oak
Issue Type: Bug
Reporter: Tobias Bocanegra
LDAP specifies anonymous authentication by passing an empty password. The default LDAP provider in oak uses the bind method to validate the user credentials. passing a empty password wrongly authenticates the user against the repository, if the LDAP server is not secured enough.
http://tools.ietf.org/html/rfc4513#section-5.1.1
{quote}
5.1.1. Anonymous Authentication Mechanism of Simple Bind
An LDAP client may use the anonymous authentication mechanism of the
simple Bind method to explicitly establish an anonymous authorization
state by sending a Bind request with a name value of zero length and
specifying the simple authentication choice containing a password
value of zero length.
{quote}
and further:
{quote}
Unauthenticated Bind operations can have significant security issues
(see Section 6.3.1). In particular, users intending to perform
Name/Password Authentication may inadvertently provide an empty
password and thus cause poorly implemented clients to request
Unauthenticated access. Clients SHOULD be implemented to require
user selection of the Unauthenticated Authentication Mechanism by
means other than user input of an empty password. Clients SHOULD
disallow an empty password input to a Name/Password Authentication
user interface. Additionally, Servers SHOULD by default fail
Unauthenticated Bind requests with a resultCode of
unwillingToPerform.
{quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)