Do not allow blank passwords when authenticating against LDAP.

author: Craig Andrews <candrews@integralblue.com> 2010-09-21 18:04:28 -0400
committer: Craig Andrews <candrews@integralblue.com> 2010-09-21 18:05:18 -0400
commit: 8d019c03ee7a2a3a25bfb3f2afa25951eac06428 (patch)
tree: 827ecf79f63cae09a5f3957119ddfad3b51bfc8f
parent: 42dd460d3b9aa9a8ad147d00de9b6c8e209ab4e9 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/plugins/LdapCommon/LdapCommon.php b/plugins/LdapCommon/LdapCommon.php
index 7dea1f0ed..159b2d265 100644
--- a/plugins/LdapCommon/LdapCommon.php
+++ b/plugins/LdapCommon/LdapCommon.php
@@ -144,6 +144,12 @@ class LdapCommon
         if(!$entry){
             return false;
         }else{
+            if(empty($password)) {
+                //NET_LDAP2 will do an anonymous bind if bindpw is not set / empty string
+                //which causes all login attempts that involve a blank password to appear
+                //to succeed. Which is obviously not good.
+                return false;
+            }
             $config = $this->get_ldap_config();
             $config['binddn']=$entry->dn();
             $config['bindpw']=$password;
author	Craig Andrews <candrews@integralblue.com>	2010-09-21 18:04:28 -0400
committer	Craig Andrews <candrews@integralblue.com>	2010-09-21 18:05:18 -0400
commit	8d019c03ee7a2a3a25bfb3f2afa25951eac06428 (patch)
tree	827ecf79f63cae09a5f3957119ddfad3b51bfc8f
parent	42dd460d3b9aa9a8ad147d00de9b6c8e209ab4e9 (diff)