This repository has been archived by the owner on Jan 15, 2019. It is now read-only.
[dev.icinga.com #1596] icinga-web: LDAP auth allows empty passwords #420
Comments
|
Updated by mhein on 2011-05-27 14:58:02 +00:00
Patch applied, thanks for that! Kind regards, |
|
Updated by mfriedrich on 2011-06-08 08:14:26 +00:00
|
|
Updated by mfriedrich on 2011-06-08 08:14:56 +00:00
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This issue has been migrated from Redmine: https://dev.icinga.com/issues/1596
Created by lydon on 2011-05-27 08:22:53 +00:00
Assignee: (none)
Status: Resolved (closed on 2011-05-27 14:58:02 +00:00)
Target Version: 1.4.1
Last Update: 2011-06-08 08:14:56 +00:00 (in Redmine)
The current (1.4.0) LDAPModel.class.php allows the login with an empty password, which might result in anannonymous login. I even can login to our AD with any valid user by giving empty passwords (our AS has annonymous binds disabled!).
So it's best (as found in some comments of the php ldap_bind function) to validate the information given to login.
Attached is a patch which checks for an empty password and returns from doAuthenticate with false if the password given is empty. This fixes my problem.
Attachments
The text was updated successfully, but these errors were encountered: