| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Richard Tector <richard(at)tector(dot)org(dot)uk> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #4877: LDAP auth allows empty password string |
| Date: | 2009-06-24 11:45:04 |
| Message-ID: | 4A4211C0.60605@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Richard Tector wrote:
> The following bug has been logged online:
>
> Bug reference: 4877
> Logged by: Richard Tector
> Email address: richard(at)tector(dot)org(dot)uk
> PostgreSQL version: 8.3.7
> Operating system: FreeBSD 7.2-RELEASE-p1
> Description: LDAP auth allows empty password string
> Details:
>
> In general the client libraries for PostgreSQL error if an empty password is
> used. The JDBC drivers do not, and this has uncovered a problem with the
> server's LDAP authentication code.
>
> When authenticating against Active Directory using the method:
> ldap "ldap://osiris.capl.local/dc=capl,dc=local;CAPL\"
> Authentication is successful with both the correct password and an empty
> password, so long as a valid user is supplied. Using a non-existent username
> or an incorrect password correctly produces an error and the logon fails.
Since this is a security related report, it should have been reported to
security(at)postgresql(dot)org, as specified on the web form you used.
For this reason, we will follow this up on that forum, and post a public
followup once the issue has been investigated.
--
Magnus Hagander
Self: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2009-06-24 12:25:15 | Re: psql: FATAL: the database system is in recovery mode |
| Previous Message | Meredith L. Patterson | 2009-06-24 11:27:11 | Re: BUG #4876: author of MD5 says it's seriously broken - hash collision resistance problems |