[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_simple_bind_s (null) vs '' for password



> Hi,
>  I have a question relating to ldap_simple_bind_s. This issue comes up
> when I try with an 2003 Active Directory, but I am using OpenLDAP API to
> talk to this server.
>
>  a brief sequence of steps:
>
>  1) ldap_simple_bind_s (correct dn, correct password)
>  2) ...
>  3) ldap_simple_bind_s (correct dn, "") *
>  4) ldap_simple_bind_s (correct dn, incorrect password) **
>  5) ldap_simple_bind_s (correct dn, 0) ***
>  6) ...
>  7) ldap_unbind_s
>
>
> 3) * - succeeds!!
> 4) ** - fails as expected.
> 5) *** - succeeds!!

3) & 5) succeed, but result in an anonymous bind
(if they don't, it's a bug)

>
> I tried the same with slapd, but as expected 3,4,5 fail.

this feature is disabled by default in slapd; you
can re-eanble it by using the "allow" directive;
see slapd.conf(5) for details.

>
> I am confused as to why 3 succeeds, sladp doesnt allow (dn with no
> password), maybe Ad2003 allows this, but no password is (null) or 0 as
> in 5, but how does 3 succeed..?
>
> with 3,5 if i try to do any other operation in 6 like ldap_search_s it
> fails with the following message:
> LdapErr: DSID-0C0905FF, comment: In order to perform this operation a
> successful bind must be completed on the connection., data 0, vece
>
> Any suggestions as to how i can correct this ?

I have no idea about how to disable this in AD.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it