One of my peers at work noticed that mod_authnz_ldap returns a HTTP 500 code, when the users sents an empty password.
After further investigation I noticed that this only happens in case the authentication to the LDAP server happens via
AuthLDAPInitialBindAsUser / AuthLDAPInitialBindPattern and not via AuthLDAPBindDN / AuthLDAPBindPassword (in this case it
correctly returns a HTTP 401 code).
I also found the following comment in line 1875 of modules/ldap/util_ldap.c:
/*
* A bind to the server with an empty password always succeeds, so
* we check to ensure that the password is not empty. This implies
* that users who actually do have empty passwords will never be
* able to authenticate with this module. I don't see this as a big
* problem.
*/
This causes the initial bind with the user credentials to succeed, but the following ldap_search_ext_s to fail with
"Operations error".
Hence I would propose the following two patches:
1. Do not allow to set an empty bind password via AuthLDAPBindPassword (no_empty_bind_password.diff).
2. In authn_ldap_check_password move the checks for NULL user / password up (IMHO we cannot do anything sensible in case they
are NULL) in addition check if the password is empty and return an AUTH_DENIED if this is the case. This would be similar to
the behavior in case AuthLDAPBindDN / AuthLDAPBindPassword is used (no_empty_password_check.diff).
Opinions?
Regards
RĂ¼diger
After further investigation I noticed that this only happens in case the authentication to the LDAP server happens via
AuthLDAPInitialBindAsUser / AuthLDAPInitialBindPattern and not via AuthLDAPBindDN / AuthLDAPBindPassword (in this case it
correctly returns a HTTP 401 code).
I also found the following comment in line 1875 of modules/ldap/util_ldap.c:
/*
* A bind to the server with an empty password always succeeds, so
* we check to ensure that the password is not empty. This implies
* that users who actually do have empty passwords will never be
* able to authenticate with this module. I don't see this as a big
* problem.
*/
This causes the initial bind with the user credentials to succeed, but the following ldap_search_ext_s to fail with
"Operations error".
Hence I would propose the following two patches:
1. Do not allow to set an empty bind password via AuthLDAPBindPassword (no_empty_bind_password.diff).
2. In authn_ldap_check_password move the checks for NULL user / password up (IMHO we cannot do anything sensible in case they
are NULL) in addition check if the password is empty and return an AUTH_DENIED if this is the case. This would be similar to
the behavior in case AuthLDAPBindDN / AuthLDAPBindPassword is used (no_empty_password_check.diff).
Opinions?
Regards
RĂ¼diger
Attached Files:
-
no_empty_bind_password.diff (0.40 KB)
-
no_empty_password_check.diff (2.20 KB)