Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.2.4
    • Fix Version/s: 2.2.5
    • Component/s: Security
    • Labels:
      None
    • Environment:

      Linux 2.6.
      Standalone Artifactory with Jetty (currently I am only running it locally for evaluation purposes).
      LDAP server is Sun Directory Server 5.2, aka SunONE LDAP.

      Description

      When using LDAP authentication, providing a blank password is treated as a successful login. The cause is that the back-end LDAP server treats a bind with an empty/blank password as an anonymous bind, and I suspect the LDAP code in artifactory simply looks for a successful bind. This probably only happens with certain LDAP server implementations, but SunONE LDAP (which we use at my site) does this.

      Supporting quote from http://www.ucalgary.ca/it/directories/identity/ldap

      WARNING: An attempt to bind with a blank password always succeeds because the LDAP protocol considers this to be an "anonymous" bind, even though a username is specified. Always check for a blank password before binding.

      This occurs both at the login screen and on the "Test LDAP Connection" page:

      • Test Username correct, Test password correct: "Successful connection"
      • Test Username correct, Test password wrong: "Authentication failed"
      • Test Username correct, password empty: "Successful connection" (bad!)
      • Test Username correct, password spaces only: "Successful connection" (bad!)
      • Test Username does not exist, Test password exists: "Authentication failed"
      • Test Username does not exist, Test password spaces only: "No such object" (bad, kind of)

      Obviously this is a bad situation because you can log in as anyone by providing a blank password on the login screen.

      I think this will only happen when using the "User DN Pattern", because using a "Manager DN" will first bind as the manager and then check the password. However I can't verify this at the moment because I don't have access to such a DN at my site.

      Suggested fix is to not make LDAP bind attempts with empty passwords, or passwords containing only spaces, and treat them as failed authentication attempts. Not sure if there is a legitimate requirement for logins with blank passwords, but if so maybe make it an option which is off by default.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                cohen.tomer Tomer Cohen
                Reporter:
                tcp Tim Peters
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: