Project

General

Profile

Actions

Defect #714

closed

LDAP authentication without password

Added by Tibor Toth about 16 years ago. Updated almost 16 years ago.

Status:
Closed
Priority:
High
Assignee:
-
Category:
Accounts / authentication
Target version:
Start date:
2008-02-22
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

I configured LDAP authentication using ActiveDirectory.

Users are able to log in by their username/password, but they also can log in with empty password.

If they enter wrong password (which is not an empty string) they got the "Invalid user or password" message.

I think the problem is in ruby-net-ldap. It is used in /app/models/auth_source_ldap.rb around line 50:

# authenticate user
ldap_con = initialize_ldap_con(dn, password)
return nil unless ldap_con.bind

ldap_con.bind returns true when empty string was given as password.

Redmine version: v0.6.3
ruby-net-ldap version: 0.0.4

Actions

Also available in: Atom PDF