[prev in list] [next in list] [prev in thread] [next in thread]
List: pgsql-bugs
Subject: Re: [BUGS] BUG #4877: LDAP auth allows empty password string
From: Magnus Hagander <magnus () hagander ! net>
Date: 2009-06-24 11:45:04
Message-ID: 4A4211C0.60605 () hagander ! net
[Download RAW message or body]
Richard Tector wrote:
> The following bug has been logged online:
>
> Bug reference: 4877
> Logged by: Richard Tector
> Email address: richard@tector.org.uk
> PostgreSQL version: 8.3.7
> Operating system: FreeBSD 7.2-RELEASE-p1
> Description: LDAP auth allows empty password string
> Details:
>
> In general the client libraries for PostgreSQL error if an empty password is
> used. The JDBC drivers do not, and this has uncovered a problem with the
> server's LDAP authentication code.
>
> When authenticating against Active Directory using the method:
> ldap "ldap://osiris.capl.local/dc=capl,dc=local;CAPL\"
> Authentication is successful with both the correct password and an empty
> password, so long as a valid user is supplied. Using a non-existent username
> or an incorrect password correctly produces an error and the logon fails.
Since this is a security related report, it should have been reported to
security@postgresql.org, as specified on the web form you used.
For this reason, we will follow this up on that forum, and post a public
followup once the issue has been investigated.
--
Magnus Hagander
Self: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic