Author: tmckay
Date: 2011-12-22 17:35:09 +0000 (Thu, 22 Dec 2011)
New Revision: 5181
Modified:
trunk/cumin/python/cumin/authenticator.py
Log:
Disallow zero length password to be passed for LDAP authentication.
This prevents erroneous authentication using a server with unauthenticated binds enabled.
This should be followed up with a better error message on the login screen.
Modified: trunk/cumin/python/cumin/authenticator.py
===================================================================
--- trunk/cumin/python/cumin/authenticator.py 2011-12-16 13:14:44 UTC (rev 5180)
+++ trunk/cumin/python/cumin/authenticator.py 2011-12-22 17:35:09 UTC (rev 5181)
@@ -114,6 +114,20 @@
log.info("Authenticator: authentication failed, "\
"query returned no results in %s",
self.__class__.__name__)
else:
+ # We need to check for zero length passwords here and disallow.
+ # This is because an LDAP directory server MAY allow unauthenticated
+ # binds, which are indicated by a zero length password. Red Hat Directory
+ # Services turns unauthenticated binds off by default, for example,
+ # but who knows how this particular server may be configured?
+
+ # If unauthenticated binds are allowed by the server, then simple_bind_s
+ # below will succeed with a zero lengh password and cumin will think that
+ # password authentication has succeeded when it really hasn't.
+ if password == "":
+ log.error("Authenticator: zero length password is not allowed for
"\
+ "ldap users")
+ return False
+
for dn,ent in res:
try:
conn.simple_bind_s(dn,password)
Show replies by date