You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 15, 2019. It is now read-only.
Assignee: (none)
Status: Resolved (closed on 2011-05-27 14:58:02 +00:00)
Target Version: 1.4.1
Last Update: 2011-06-08 08:14:56 +00:00 (in Redmine)
The current (1.4.0) LDAPModel.class.php allows the login with an empty password, which might result in anannonymous login. I even can login to our AD with any valid user by giving empty passwords (our AS has annonymous binds disabled!).
So it's best (as found in some comments of the php ldap_bind function) to validate the information given to login.
Attached is a patch which checks for an empty password and returns from doAuthenticate with false if the password given is empty. This fixes my problem.
This issue has been migrated from Redmine: https://dev.icinga.com/issues/1596
Created by lydon on 2011-05-27 08:22:53 +00:00
Assignee: (none)
Status: Resolved (closed on 2011-05-27 14:58:02 +00:00)
Target Version: 1.4.1
Last Update: 2011-06-08 08:14:56 +00:00 (in Redmine)
The current (1.4.0) LDAPModel.class.php allows the login with an empty password, which might result in anannonymous login. I even can login to our AD with any valid user by giving empty passwords (our AS has annonymous binds disabled!).
So it's best (as found in some comments of the php ldap_bind function) to validate the information given to login.
Attached is a patch which checks for an empty password and returns from doAuthenticate with false if the password given is empty. This fixes my problem.
Attachments
The text was updated successfully, but these errors were encountered: