Do not allow blank passwords when authenticating against LDAP.

author Craig Andrews <candrews@integralblue.com>

Tue, 21 Sep 2010 22:04:28 +0000 (18:04 -0400)

committer Craig Andrews <candrews@integralblue.com>

Tue, 21 Sep 2010 22:05:18 +0000 (18:05 -0400)
author Craig Andrews <candrews@integralblue.com>
Tue, 21 Sep 2010 22:04:28 +0000 (18:04 -0400)
committer Craig Andrews <candrews@integralblue.com>
Tue, 21 Sep 2010 22:05:18 +0000 (18:05 -0400)
diff --git a/plugins/LdapCommon/LdapCommon.php b/plugins/LdapCommon/LdapCommon.php

index 7dea1f0ed420e1c282f8d433a42666071200b304..159b2d265a2c13c123f04c7e21620d01d310a672 100644 (file)
--- a/plugins/LdapCommon/LdapCommon.php
+++ b/plugins/LdapCommon/LdapCommon.php
@@ -144,6 +144,12 @@ class LdapCommon
          if(!$entry){
              return false;
          }else{
+            if(empty($password)) {
+                //NET_LDAP2 will do an anonymous bind if bindpw is not set / empty string
+                //which causes all login attempts that involve a blank password to appear
+                //to succeed. Which is obviously not good.
+                return false;
+            }
              $config = $this->get_ldap_config();
              $config['binddn']=$entry->dn();
              $config['bindpw']=$password;
author	Craig Andrews <candrews@integralblue.com>
	Tue, 21 Sep 2010 22:04:28 +0000 (18:04 -0400)
committer	Craig Andrews <candrews@integralblue.com>
	Tue, 21 Sep 2010 22:05:18 +0000 (18:05 -0400)