valid DN and empty password : bug?
Michael Ströder
michael at stroeder.com
Wed Jan 12 18:57:25 CET 2005
Olivier Grisel wrote:
>
> The server has an inetOrgPerson entry 'uid=toto,dc=mydomain,dc=com' with
> the corresponding userPassword set to some regular non empty value
> (something like '{SSHA}sgqsdfqs[...]' ).
>
> When a do a simple_bind_s with toto's DN and the empty password string,
> the simple_bind_s succeeds! Although, if I try with another (non empty)
> wrong password string I get the expected ldap.INVALID_CREDENTIALS
> exception.
This is a normal behaviour. But as you already experienced it depends on
the LDAP server implementation.
(I remember this being debated to death on some IETF mailing lists.)
> but I
> haven't asked python-ldap to bind anonymously, I want it to try to bind
> with the specified DN (uid=toto,dc=mydomain,dc=com).
Some LDAP servers regard an empty password as implicitly being an
anonymous bind but the log the bind-DN.
> I can't reproduce this bug with my OpenLDAP (slapd) server, since I get
> the following exception ( toto's DN with an empty password):
> """
> ldap.UNWILLING_TO_PERFORM: {'info': 'unauthenticated bind (DN with no
> password) disallowed', 'desc': 'Server is unwilling to perform'}
> """
> OpenLDAP refuses empty passwords.
The OpenLDAP developers simply had a different point of view how to
handle such a simple bind request by default. You can change this
behaviour. See the description for config directive "allow bind_anon_dn" in
man 5 slapd.conf:
allow <features>
[..]
bind_anon_dn allows unauthenticated (anonymous) bind when DN
is not empty.
[..]
Refer to the OpenLDAP lists and their archives for reading more about it.
> It seems to me that python-ldap falls back to anonymous if the
> authentication with empty password fails,
Nope! The LDAP client parts are just a primitive wrapper around the
OpenLDAP API.
Note that my LDAP client application web2ldap implicitly assumes a anon
bind if a users enters a bind-DN without a password. The bind-DN is set
to empty string by web2ldap in this case. But python-ldap simply passes
what the client application told it to send to the LDAP server.
> which is not the expected
> behavior (or is it ?). I would like it to raise ldap.INVALID_CREDENTIALS
> instead.
In case of an error python-ldap directly maps the result code returned
by the LDAP server to an ldap.LDAPError exception raised. python-ldap
has no additional behaviour regarding error handling. Your LDAP client
application has to deal with different error codes returned by different
LDAP server implementations.
> I am sorry if this is an known bug,
It's definitely not a python-ldap bug.
Ciao, Michael.
More information about the python-ldap
mailing list