Java, LDAP: Make it not ignore blank passwords?

Question

I\'m maintaining some legacy Java LDAP code. I know next to nothing about LDAP.

The program below basically just sends the userid and password to the LDAP server,

Answer 1

Unfortunately, the authentication with a DN and an empty password is one of the difficiency of LDAP, and results in an "unauthenticated" positive response from the server. Some LDAP servers have configuration options to disable that behavior that has been discouraged in the latest revision of LDAPv3 (RFC 4511), and even have it disabled by default.

Ultimately, the client application should check input parameters and make sure the password is not empty.

Kind regards,

Ludovic

Answer 2

There are two types of BIND operations, simple and SASL. In the case of the simple BIND, there are four possibilities:

• empty DN and empty password: anonymous, no authentication takes place. This is the initial state, and also the state when a BIND request is received by the server
• non-empty DN, empty password: unauthenticated, no authentication takes place
• non-empty DN, non-emptypassword: the normal case, authentication is attempted
• empty DN, non-empty password: server behavior is not defined in the LDAP standards. No authentication takes place.

When a connection is initially established, the connection is anonymous. Each BIND request resets the connection state to anonymous. Each successful BIND request changes the authorization state of the connection to that of the distinguished name. Each unsuccessful BIND request leaves the connection unauthenticated.

The semantics of BIND are defined in LDAP: Authentication

Answer 3

You need to change authentication method from simple (which is not something to use in an production environment anyways, at least not without SSL).

As it is stated here: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html

If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be "none". This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to "none" if a password is not supplied.

Answer 4

What happens when you send an "empty" password is the authentication (ie bind) is done as anonymous.

Your code could be modified to detect an empty password or userid to stop this activity.

Some LDAP implementaitons can stop any anonymous binds.