You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2016/02/18 15:09:18 UTC
[jira] [Commented] (DIRAPI-267) LdapNetworkConnection.isAuthenticated() returns TRUE after binding with a blank password

    [ https://issues.apache.org/jira/browse/DIRAPI-267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15152361#comment-15152361 ] 

Emmanuel Lecharny commented on DIRAPI-267:
------------------------------------------

No.

This is legit, and works as specified by [RFC 4513, Unauthenticated Authentication Mechanism of Simple Bind](https://tools.ietf.org/html/rfc4513#section-5.1.2)

>  LdapNetworkConnection.isAuthenticated() returns TRUE after binding with a blank password
> -----------------------------------------------------------------------------------------
>
>                 Key: DIRAPI-267
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-267
>             Project: Directory Client API
>          Issue Type: Bug
>    Affects Versions: 1.0.0-M33
>         Environment: tomcat 7 / JRE7 / Microsoft AD
>            Reporter: seb leridon
>            Priority: Minor
>              Labels: security
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> hi,
> the execution of that code :
> {code}
>     private static void printConnectionState(LdapNetworkConnection connection) {
>         System.out.print("isConnected : " + connection.isConnected());
>         System.out.println(" / isAuthenticated : " + connection.isAuthenticated());
>     }
> 	
>     public static boolean ldapCheck(String ldapUser, String ldapPwd) {
>         LdapNetworkConnection connection = new LdapNetworkConnection( ldapHost, ldapPort );
>         // init
>         printConnectionState(connection);
> 		
>         System.out.println(">> LDAP connect...");
>         try { connection.connect(); } catch ( Exception e) {System.out.println(e.getMessage());}
>         printConnectionState(connection);
>         System.out.println(">> 1. Bind with good password...");
>         try {    connection.bind( ldapUser, ldapPwd); } catch ( Exception e) {System.out.println(e.getMessage());}
>         printConnectionState(connection);
>         System.out.println(">> 2. Bind with wrong password...");
>         try {    connection.bind( ldapUser, "whatever"); } catch ( Exception e) {System.out.println(e.getMessage());}
>         printConnectionState(connection);
>         System.out.println(">> 3. Bind with blank password...");
>         try {    connection.bind( ldapUser, ""); } catch ( Exception e) {System.out.println(e.getMessage());}
>         printConnectionState(connection);
>         return connection.isAuthenticated();  
>     }
> {code}
> returns :
> {code}
> isConnected : false / isAuthenticated : false
> >> LDAP connect...
> isConnected : true / isAuthenticated : false
> >> 1. Bind with good password...
> isConnected : true / isAuthenticated : true
> >> 2. Bind with wrong password...
> 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
> isConnected : true / isAuthenticated : false
> >> 3. Bind with blank password...
> isConnected : true / isAuthenticated : true
> {code}
> The methode isAuthentificated() should return False if there isn't any user authentified, no ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)