Spring Security
  1. Spring Security
  2. SEC-1117

Unable to use NtlmAwareLdapAuthenticator with LdapAuthenticationProvider due to checking for null password.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: LDAP
    • Labels:
      None

      Description

      Currently LdapAuthenticatonProvider checks for empty password in its authenticate() method (lines 225 onward). This does not allow to use NtlmAwareLdapAuthenticator as a delegate for authentication because null password will be always rejected - as is the case when using NTLM authentication - and NtlmAwareLdapAuthenticator never gets called.

      Forum thread mentioned above confirms the same problem encountered by another user (see item 2 in the top post)
      Also a similiar problem exists with id: SEC-1014.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          I've moved the check for the empty password into BindAuthenticator.authenticate(). The check is required because some directories treat an empty password as an anonymous bind and the risk is that a user could authenticate as any valid username to such a directory just by entering an empty password. However it should only be pertinent to bind authentication.

          This change should allow the overridden authenticate method in NtlmAwareLdapAuthenticator to succeed, even with an empty password.

          Show
          Luke Taylor added a comment - I've moved the check for the empty password into BindAuthenticator.authenticate(). The check is required because some directories treat an empty password as an anonymous bind and the risk is that a user could authenticate as any valid username to such a directory just by entering an empty password. However it should only be pertinent to bind authentication. This change should allow the overridden authenticate method in NtlmAwareLdapAuthenticator to succeed, even with an empty password.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Maciej Skolecki
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: