Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-2078

Prevent null/empty passwords in ldap provider

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.0.5
    • 1.0.6, 1.1.0
    • security
    • None

    Description

      LDAP specifies anonymous authentication by passing an empty password. The default LDAP provider in oak uses the bind method to validate the user credentials. passing a empty password wrongly authenticates the user against the repository, if the LDAP server is not secured enough.

      http://tools.ietf.org/html/rfc4513#section-5.1.1

      5.1.1. Anonymous Authentication Mechanism of Simple Bind
      An LDAP client may use the anonymous authentication mechanism of the
      simple Bind method to explicitly establish an anonymous authorization
      state by sending a Bind request with a name value of zero length and
      specifying the simple authentication choice containing a password
      value of zero length.

      and further:

      Unauthenticated Bind operations can have significant security issues
      (see Section 6.3.1). In particular, users intending to perform
      Name/Password Authentication may inadvertently provide an empty
      password and thus cause poorly implemented clients to request
      Unauthenticated access. Clients SHOULD be implemented to require
      user selection of the Unauthenticated Authentication Mechanism by
      means other than user input of an empty password. Clients SHOULD
      disallow an empty password input to a Name/Password Authentication
      user interface. Additionally, Servers SHOULD by default fail
      Unauthenticated Bind requests with a resultCode of
      unwillingToPerform.

      Attachments

        Activity

          People

            tripod Tobias Bocanegra
            tripod Tobias Bocanegra
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: