diff options
author | Craig Andrews <candrews@integralblue.com> | 2010-09-21 18:04:28 -0400 |
---|---|---|
committer | Craig Andrews <candrews@integralblue.com> | 2010-09-21 18:06:24 -0400 |
commit | 2db8aa3ec3f6804f8f16efe754aafb149f4035c9 (patch) | |
tree | 4f2473320ac6785e5ae5d2cea2e8df226e97ce62 /plugins/LdapCommon/LdapCommon.php | |
parent | 6bbc8ca234f3fe074cf398cd1f242cd4e2dd7df3 (diff) |
Do not allow blank passwords when authenticating against LDAP.
Diffstat (limited to 'plugins/LdapCommon/LdapCommon.php')
-rw-r--r-- | plugins/LdapCommon/LdapCommon.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/plugins/LdapCommon/LdapCommon.php b/plugins/LdapCommon/LdapCommon.php index d583e3085..09ff54bad 100644 --- a/plugins/LdapCommon/LdapCommon.php +++ b/plugins/LdapCommon/LdapCommon.php @@ -144,6 +144,12 @@ class LdapCommon if(!$entry){ return false; }else{ + if(empty($password)) { + //NET_LDAP2 will do an anonymous bind if bindpw is not set / empty string + //which causes all login attempts that involve a blank password to appear + //to succeed. Which is obviously not good. + return false; + } $config = $this->get_ldap_config(); $config['binddn']=$entry->dn(); $config['bindpw']=$password; |