You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2016/02/18 15:09:18 UTC
[jira] [Commented] (DIRAPI-267)
LdapNetworkConnection.isAuthenticated() returns TRUE after binding with a
blank password
[ https://issues.apache.org/jira/browse/DIRAPI-267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15152361#comment-15152361 ]
Emmanuel Lecharny commented on DIRAPI-267:
------------------------------------------
No.
This is legit, and works as specified by [RFC 4513, Unauthenticated Authentication Mechanism of Simple Bind](https://tools.ietf.org/html/rfc4513#section-5.1.2)
> LdapNetworkConnection.isAuthenticated() returns TRUE after binding with a blank password
> -----------------------------------------------------------------------------------------
>
> Key: DIRAPI-267
> URL: https://issues.apache.org/jira/browse/DIRAPI-267
> Project: Directory Client API
> Issue Type: Bug
> Affects Versions: 1.0.0-M33
> Environment: tomcat 7 / JRE7 / Microsoft AD
> Reporter: seb leridon
> Priority: Minor
> Labels: security
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> hi,
> the execution of that code :
> {code}
> private static void printConnectionState(LdapNetworkConnection connection) {
> System.out.print("isConnected : " + connection.isConnected());
> System.out.println(" / isAuthenticated : " + connection.isAuthenticated());
> }
>
> public static boolean ldapCheck(String ldapUser, String ldapPwd) {
> LdapNetworkConnection connection = new LdapNetworkConnection( ldapHost, ldapPort );
> // init
> printConnectionState(connection);
>
> System.out.println(">> LDAP connect...");
> try { connection.connect(); } catch ( Exception e) {System.out.println(e.getMessage());}
> printConnectionState(connection);
> System.out.println(">> 1. Bind with good password...");
> try { connection.bind( ldapUser, ldapPwd); } catch ( Exception e) {System.out.println(e.getMessage());}
> printConnectionState(connection);
> System.out.println(">> 2. Bind with wrong password...");
> try { connection.bind( ldapUser, "whatever"); } catch ( Exception e) {System.out.println(e.getMessage());}
> printConnectionState(connection);
> System.out.println(">> 3. Bind with blank password...");
> try { connection.bind( ldapUser, ""); } catch ( Exception e) {System.out.println(e.getMessage());}
> printConnectionState(connection);
> return connection.isAuthenticated();
> }
> {code}
> returns :
> {code}
> isConnected : false / isAuthenticated : false
> >> LDAP connect...
> isConnected : true / isAuthenticated : false
> >> 1. Bind with good password...
> isConnected : true / isAuthenticated : true
> >> 2. Bind with wrong password...
> 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
> isConnected : true / isAuthenticated : false
> >> 3. Bind with blank password...
> isConnected : true / isAuthenticated : true
> {code}
> The methode isAuthentificated() should return False if there isn't any user authentified, no ?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)