Re-reading the RFC again, I think we should address the issue in Studio:
"Clients SHOULD be implemented to require user selection of the
Unauthenticated Authentication Mechanism by means other than user input
of an empty password."
which means we should add a "Unauthenticated Authentication" option in
the connection property - and probably rename the "No Authentication" to
"Anonymous" for clarity -.
If the user select "Simple Bind" and provides no password, then a error
should be generated.
The hack you found should also be disabled, ie we should always test if
the password is null *and* the authentication mode is not
"Unauthenticated". That is a bit more complex because I don't think we
save this information in the connection parameters.
So I'm inclined to say that it would deserve a JIRA on Studio.
On 26/05/2020 16:33, Baptiste Grenier wrote:
Le 26/05/20 à 14:31, Emmanuel Lécharny téléscripta :
Sorry, I read your mail a bit quickly.
The unauthenticated bind is a security risk, and the RFC explicitly
say that "Clients SHOULD disallow an empty password input to a
Name/Password Authentication user interface".
IMO, the trick you are using to get it working is more likely a bug
than a 'feature'. Actually, in the LDAP API, we forbid the use of a
name with no password :
(...)
although, reading the code, I can tell you that it's not true
everywhere, so it's definitively a bug.
Bottom line: you should never be allowed to send an unauthenticated
bind to a server...
OK, thanks for your checks and answers!
Cheers,
Baptiste
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
