BUG #4877: LDAP auth allows empty password string
The following bug has been logged online:
Bug reference: 4877
Logged by: Richard Tector
Email address: richard@tector.org.uk
PostgreSQL version: 8.3.7
Operating system: FreeBSD 7.2-RELEASE-p1
Description: LDAP auth allows empty password string
Details:
In general the client libraries for PostgreSQL error if an empty password is
used. The JDBC drivers do not, and this has uncovered a problem with the
server's LDAP authentication code.
When authenticating against Active Directory using the method:
ldap "ldap://osiris.capl.local/dc=capl,dc=local;CAPL\"
Authentication is successful with both the correct password and an empty
password, so long as a valid user is supplied. Using a non-existent username
or an incorrect password correctly produces an error and the logon fails.
Richard Tector wrote:
The following bug has been logged online:
Bug reference: 4877
Logged by: Richard Tector
Email address: richard@tector.org.uk
PostgreSQL version: 8.3.7
Operating system: FreeBSD 7.2-RELEASE-p1
Description: LDAP auth allows empty password string
Details:In general the client libraries for PostgreSQL error if an empty password is
used. The JDBC drivers do not, and this has uncovered a problem with the
server's LDAP authentication code.When authenticating against Active Directory using the method:
ldap "ldap://osiris.capl.local/dc=capl,dc=local;CAPL\"
Authentication is successful with both the correct password and an empty
password, so long as a valid user is supplied. Using a non-existent username
or an incorrect password correctly produces an error and the logon fails.
Since this is a security related report, it should have been reported to
security@postgresql.org, as specified on the web form you used.
For this reason, we will follow this up on that forum, and post a public
followup once the issue has been investigated.
--
Magnus Hagander
Self: http://www.hagander.net/
Work: http://www.redpill-linpro.com/