Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 456456 - There is no way to tell apart an unauthenticated bind from an anonymous bind
Summary: There is no way to tell apart an unauthenticated bind from an anonymous bind
Alias: None
Product: 389
Classification: Retired
Component: Security - Access Control (ACL)
Version: 1.1.1
Hardware: All
OS: All
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
Depends On:
TreeView+ depends on / blocked
Reported: 2008-07-23 19:51 UTC by Loris Santamaria
Modified: 2015-01-04 23:33 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-11-07 22:28:52 UTC

Attachments (Terms of Use)
Plugin to disable unauthenticated binds (deleted)
2008-07-24 22:09 UTC, Loris Santamaria
no flags Details

Description Loris Santamaria 2008-07-23 19:51:09 UTC
if one does a search in the directory with a valid DN and an empty password, the
bind succeeds. For example

ldapsearch -x -D "uid=jsmith,ou=people,dc=company" -w ""

Now while this behaviour is permitted, altough discouraged, in the relevant
RFCs, the real problem is that there is not a way to disable this
"unauthenticated binds" without disabling truly anonymous access altogether. 

As most web apps test if the user can bind to the directory to perform user
authentication this behaviour of FDS may lead to users getting access to
sensitive data without providing a password. Yes, that would be because of badly
written client application but we should disable this behaviour and not expect
that application will do always the right thing.

Here is the relevant RFC:

Comment 1 Loris Santamaria 2008-07-24 22:09:07 UTC
Created attachment 312602 [details]
Plugin to disable unauthenticated binds

Comment 2 Loris Santamaria 2008-07-24 22:10:23 UTC
The above plugin checks if the users sends a DN but no password (unauthenticated
bind), and if it is the case, it returns an error code 32 (Unwilling to perform)

Tested with anonymous connections, unauthenticated binds, plain binds, and SASL
GSSAPI connections.

Feel free to modify, use, or trash the plugin at your will. 

Comment 3 Rich Megginson 2008-07-24 23:04:35 UTC
Thanks!  We'll have a look at it once we get a little time.

We will need a CLA to accept this code - - if you already have an
account with the Fedora Account System, you can fill out the CLA on-line - if
you do so, or if you have already done this, just let me know what your FAS
account name is -

Comment 4 Loris Santamaria 2008-07-25 02:53:24 UTC
I've registered an account, and the account name is loris

Comment 5 Nathan Kinder 2008-11-07 22:28:52 UTC
This is a duplicate of 316241.  We definitely appreciate the contribution, but the fix in the other bug is in the core server code with a configuration attribute to control the behavior as opposed to a new separate plug-in.  For a feature this simple, it is preferred to not have to have an entire plug-in, so we are going to go with that approach.

*** This bug has been marked as a duplicate of bug 316241 ***

Note You need to log in before you can comment on or make changes to this bug.