-
Type:
Bug
-
Status: Done
-
Resolution: Done
-
Affects Version/s: 2.2.4
-
Fix Version/s: 2.2.5
-
Component/s: Security
-
Labels:None
-
Environment:
Linux 2.6.
Standalone Artifactory with Jetty (currently I am only running it locally for evaluation purposes).
LDAP server is Sun Directory Server 5.2, aka SunONE LDAP.
-
Severity:Critical
When using LDAP authentication, providing a blank password is treated as a successful login. The cause is that the back-end LDAP server treats a bind with an empty/blank password as an anonymous bind, and I suspect the LDAP code in artifactory simply looks for a successful bind. This probably only happens with certain LDAP server implementations, but SunONE LDAP (which we use at my site) does this.
Supporting quote from http://www.ucalgary.ca/it/directories/identity/ldap
WARNING: An attempt to bind with a blank password always succeeds because the LDAP protocol considers this to be an "anonymous" bind, even though a username is specified. Always check for a blank password before binding.
This occurs both at the login screen and on the "Test LDAP Connection" page:
- Test Username correct, Test password correct: "Successful connection"
- Test Username correct, Test password wrong: "Authentication failed"
- Test Username correct, password empty: "Successful connection" (bad!)
- Test Username correct, password spaces only: "Successful connection" (bad!)
- Test Username does not exist, Test password exists: "Authentication failed"
- Test Username does not exist, Test password spaces only: "No such object" (bad, kind of)
Obviously this is a bad situation because you can log in as anyone by providing a blank password on the login screen.
I think this will only happen when using the "User DN Pattern", because using a "Manager DN" will first bind as the manager and then check the password. However I can't verify this at the moment because I don't have access to such a DN at my site.
Suggested fix is to not make LDAP bind attempts with empty passwords, or passwords containing only spaces, and treat them as failed authentication attempts. Not sure if there is a legitimate requirement for logins with blank passwords, but if so maybe make it an option which is off by default.
- is related to
-
RTFACT-3103 Using LDAP(s) Auth and entering only a username, no password
- Done