valid DN and empty password : bug?
Olivier Grisel
og at nuxeo.com
Wed Jan 12 16:50:02 CET 2005
Hello list,
I experiment a strange behavior (bug?) with python-ldap 2.0.4 and
Sun/Netscape iPlanet LDAP server.
Use case:
The server has an inetOrgPerson entry 'uid=toto,dc=mydomain,dc=com' with
the corresponding userPassword set to some regular non empty value
(something like '{SSHA}sgqsdfqs[...]' ).
When a do a simple_bind_s with toto's DN and the empty password string,
the simple_bind_s succeeds! Although, if I try with another (non empty)
wrong password string I get the expected ldap.INVALID_CREDENTIALS exception.
NB: anonymous has the 'read' permission on the whole directory, but I
haven't asked python-ldap to bind anonymously, I want it to try to bind
with the specified DN (uid=toto,dc=mydomain,dc=com).
I can't reproduce this bug with my OpenLDAP (slapd) server, since I get
the following exception ( toto's DN with an empty password):
"""
ldap.UNWILLING_TO_PERFORM: {'info': 'unauthenticated bind (DN with no
password) disallowed', 'desc': 'Server is unwilling to perform'}
"""
OpenLDAP refuses empty passwords.
It seems to me that python-ldap falls back to anonymous if the
authentication with empty password fails, which is not the expected
behavior (or is it ?). I would like it to raise ldap.INVALID_CREDENTIALS
instead.
I am sorry if this is an known bug, but google couldn't help mefind
references on it.
Regards
Olivier
More information about the python-ldap
mailing list