valid DN and empty password : bug?

Olivier Grisel og at
Wed Jan 12 16:50:02 CET 2005

Hello list,

I experiment a strange behavior (bug?) with python-ldap 2.0.4 and
Sun/Netscape iPlanet LDAP server.

Use case:
The server has an inetOrgPerson entry 'uid=toto,dc=mydomain,dc=com' with
the corresponding userPassword set to some regular non empty value
(something like '{SSHA}sgqsdfqs[...]' ).

When a do a simple_bind_s with toto's DN and the empty password string,
the simple_bind_s succeeds! Although, if I try with another (non empty)
wrong password string I get the expected ldap.INVALID_CREDENTIALS exception.

NB: anonymous has the 'read' permission on the whole directory, but I
haven't asked python-ldap to bind anonymously, I want it to try to bind
with the specified DN (uid=toto,dc=mydomain,dc=com).

I can't reproduce this bug with my OpenLDAP (slapd) server, since I get
the following exception ( toto's DN with an empty password):
ldap.UNWILLING_TO_PERFORM: {'info': 'unauthenticated bind (DN with no
password) disallowed', 'desc': 'Server is unwilling to perform'}
OpenLDAP refuses empty passwords.

It seems to me that python-ldap falls back to anonymous if the
authentication with empty password fails, which is not the expected
behavior (or is it ?). I would like it to raise ldap.INVALID_CREDENTIALS

I am sorry if this is an known bug, but google couldn't help mefind
references on it.



More information about the python-ldap mailing list