Authentication to ActiveDirectory's LDAP succeeds with correct password OR no password

2

I'm working on LDAP authentication support for our web-application. During testing this functionality, I've noticed a very strange behavior: user can authenticate using correct password OR no password. If a wrong password entered, authentication fails.

At first I thought I might have missed something in my code, but then I decided to test it with some desktop client. I tried 'Active Directory Explorer' from Windows Sysinternals, and, surprisingly, it resulted in the same behavior.

Any thoughts about this? As you have guessed, we're using Active Directory. Let me know if I should learn more details about our Active Directory configuration.

Arturs Licis

Posted 2012-08-07T07:19:04.747

Reputation: 155

Answers

2

A distinguished name may not "authenticate" with a zero-length password. The simple BIND LDAP operation has the following possibilities:

  • no DN, no password (anonymous, no authentication takes place)
  • DN, no password (unauthenticated, no authentication takes place)
  • DN, password (authentication succeeds if credentials match)
  • no DN, password (server behavior not defined in the standards)

Terry Gardner

Posted 2012-08-07T07:19:04.747

Reputation: 827

2

It seems I found an explanation here: LDAP: Simple Authentication. It states:

Note: If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be "none". This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to "none" if a password is not supplied.

Arturs Licis

Posted 2012-08-07T07:19:04.747

Reputation: 155

Asked: 2012-08-07T07:19:04.747

Viewed: 1 594 times

Active: 2012-08-07T14:17:05.220