Re: BUG #4877: LDAP auth allows empty password string

The following bug has been logged online:

Bug reference: 4877
Logged by: Richard Tector
Email address: richard(at)tector(dot)org(dot)uk
PostgreSQL version: 8.3.7
Operating system: FreeBSD 7.2-RELEASE-p1
Description: LDAP auth allows empty password string
Details:

In general the client libraries for PostgreSQL error if an empty password is
used. The JDBC drivers do not, and this has uncovered a problem with the
server's LDAP authentication code.

When authenticating against Active Directory using the method:
ldap "ldap://osiris.capl.local/dc=capl,dc=local;CAPL\"
Authentication is successful with both the correct password and an empty
password, so long as a valid user is supplied. Using a non-existent username
or an incorrect password correctly produces an error and the logon fails.

Richard Tector wrote:
> The following bug has been logged online:
>
> Bug reference: 4877
> Logged by: Richard Tector
> Email address: richard(at)tector(dot)org(dot)uk
> PostgreSQL version: 8.3.7
> Operating system: FreeBSD 7.2-RELEASE-p1
> Description: LDAP auth allows empty password string
> Details:
>
> In general the client libraries for PostgreSQL error if an empty password is
> used. The JDBC drivers do not, and this has uncovered a problem with the
> server's LDAP authentication code.
>
> When authenticating against Active Directory using the method:
> ldap "ldap://osiris.capl.local/dc=capl,dc=local;CAPL\"
> Authentication is successful with both the correct password and an empty
> password, so long as a valid user is supplied. Using a non-existent username
> or an incorrect password correctly produces an error and the logon fails.

Since this is a security related report, it should have been reported to
security(at)postgresql(dot)org, as specified on the web form you used.

For this reason, we will follow this up on that forum, and post a public
followup once the issue has been investigated.

--
Magnus Hagander
Self: http://www.hagander.net/
Work: http://www.redpill-linpro.com/