Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

ldap connection authorized if username does not exist or password empty

When the ldap is activated and well configured : 1) if the username does not exist in the ldap database, the connection is allowed by askbot 2) if the username exists and no password is filled, the connection is also allowed. 3) if the username exists amd the password is filled and wrong, then the connection is refused (ldap error : invalid credentials) 4) if the username exists and the password is well filled, the the connection is accepted.

It seems to be that ldap-python simple_bind_s method does not raised an exception included in ldap.LDAPError for the first two cases. I have just added a trace to confirm that in the fourth cases the method is called. The ldap-python doc does not give more details. I will try to investigate further next week. If you have any idea, let me know, I have a full test environment to investigate.

ldap connection authorized if username does not exist or password empty

When the ldap is activated and well configured : 1) :

  1. if the username does not exist in the ldap database, the connection is allowed by askbot 2) askbot

  2. if the username exists and no password is filled, the connection is also allowed. 3) allowed.

  3. if the username exists amd the password is filled and wrong, then the connection is refused (ldap error : invalid credentials) 4) credentials

  4. if the username exists and the password is well filled, the the connection is accepted.

It seems to be that ldap-python simple_bind_s method does not raised an exception included in ldap.LDAPError for the first two cases. I have just added a trace to confirm that in the fourth cases the method is called. The ldap-python doc does not give more details. I will try to investigate further next week. If you have any idea, let me know, I have a full test environment to investigate.

ldap connection authorized if username does not exist or password emptythe password not filled even for an unknown user

When the ldap is activated and well configured :

  1. if the username does not exist in the ldap database, database and the the password is not filled, the connection is allowed by askbot

  2. if the username exists and no password is filled, the connection is also allowed.

  3. if the username exists amd and the password is filled and wrong, then the connection is refused (ldap error : invalid credentials

  4. if the username exists and the password is well filled, the the connection is accepted.

It seems to be that ldap-python simple_bind_s method does not raised an exception included in ldap.LDAPError for the first two cases. I have just added a trace to confirm that in the fourth cases the method is called. The ldap-python doc does not give more details. I will try to investigate further next week. If you have any idea, let me know, I have a full test environment to investigate.