Add explicit notes around password-less simple auth #292
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
captainpete
commented
Jun 29, 2017
| @@ -823,7 +829,11 @@ def search(args = {}) | |||
| # ldap.port = 389 | |||
| # ldap.auth your_user_name, your_user_password | |||
| # if ldap.bind | |||
| # # authentication succeeded | |||
| # if your_user_password.size > 0 | |||
There was a problem hiding this comment.
I think this complicates the example, should auth, authenticate or bind check for presence of the password internally when the authentication method is simple?.
|
FWIW This to me is a major security oversight of the library and a big gotcha! I just stumbled upon this after realizing a blank password was accepted for an admin login on one of our internal services utilizing this library. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi there,
The simple auth bind example does not show how unauthenticated bind success responses can happen. Many A/D servers are configured to have successful bind when no password is supplied if the username is correct. RFC4513 5.1.2 recommends only assuming authenticated bind when password sent was present (and to improve the A/D server configuration).
At the risk of complicating the example I've created this pull request, please let me know how I can improve it!
Thanks,
Pete