Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-3378

ldap authentication with blank password



    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 2.2.4
    • Fix Version/s: 2.2.5
    • Component/s: Security
    • Labels:
    • Environment:

      Linux 2.6.
      Standalone Artifactory with Jetty (currently I am only running it locally for evaluation purposes).
      LDAP server is Sun Directory Server 5.2, aka SunONE LDAP.

    • Severity:


      When using LDAP authentication, providing a blank password is treated as a successful login. The cause is that the back-end LDAP server treats a bind with an empty/blank password as an anonymous bind, and I suspect the LDAP code in artifactory simply looks for a successful bind. This probably only happens with certain LDAP server implementations, but SunONE LDAP (which we use at my site) does this.

      Supporting quote from http://www.ucalgary.ca/it/directories/identity/ldap

      WARNING: An attempt to bind with a blank password always succeeds because the LDAP protocol considers this to be an "anonymous" bind, even though a username is specified. Always check for a blank password before binding.

      This occurs both at the login screen and on the "Test LDAP Connection" page:

      • Test Username correct, Test password correct: "Successful connection"
      • Test Username correct, Test password wrong: "Authentication failed"
      • Test Username correct, password empty: "Successful connection" (bad!)
      • Test Username correct, password spaces only: "Successful connection" (bad!)
      • Test Username does not exist, Test password exists: "Authentication failed"
      • Test Username does not exist, Test password spaces only: "No such object" (bad, kind of)

      Obviously this is a bad situation because you can log in as anyone by providing a blank password on the login screen.

      I think this will only happen when using the "User DN Pattern", because using a "Manager DN" will first bind as the manager and then check the password. However I can't verify this at the moment because I don't have access to such a DN at my site.

      Suggested fix is to not make LDAP bind attempts with empty passwords, or passwords containing only spaces, and treat them as failed authentication attempts. Not sure if there is a legitimate requirement for logins with blank passwords, but if so maybe make it an option which is off by default.


          Issue Links



                cohen.tomer Tomer Cohen
                tcp Tim Peters (Inactive)
                0 Vote for this issue
                1 Start watching this issue



                    Sync Status

                    Connection: RTFACT Sync
                    RTMID-3378 -
                    • Last Sync Date: