On 26/05/2020 12:40, Baptiste Grenier wrote:
Le 26/05/20 à 11:52, Emmanuel Lécharny téléscripta :
You should be able to create an unauthenticated connection by
selecting "No Authentication" in the "Authentication Method" drop box
in the "Authentication" tab of the Conection popup...
So no authentication (i.e. anonymous) is not the same as the simple
bind unauthenticated authentication mechanism. `
Sorry, I read your mail a bit quickly.
The unauthenticated bind is a security risk, and the RFC explicitly say
that "Clients SHOULD disallow an empty password input to a Name/Password
Authentication user interface".
IMO, the trick you are using to get it working is more likely a bug than
a 'feature'. Actually, in the LDAP API, we forbid the use of a name with
no password :
// The password must not be empty or null
if ( Strings.isEmpty( credentials ) && ( !Dn.EMPTY_DN.equals(
name ) ) )
{
if ( LOG.isDebugEnabled() )
{
LOG.debug( I18n.msg( I18n.MSG_04105_MISSING_PASSWORD ) );
}
throw new LdapAuthenticationException( I18n.msg(
I18n.MSG_04105_MISSING_PASSWORD ) );
}
although, reading the code, I can tell you that it's not true
everywhere, so it's definitively a bug.
Bottom line: you should never be allowed to send an unauthenticated bind
to a server...
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
