Home

LDAP authentication bug: incorrect blank passwords handling.

Submitted by kami77 on Fri, 2007-01-26 11:03

I use Ejabberd 1.1.2 in Windows 2003 domain.
I've found that when you using module ejabberd_auth_ldap for authentication you can login under any user account whith blank password while incorrect passwords handled correctly. It is the serious security issue I think.
Since I dumb in Erlang I could just add a couple of lines in ejabberd_auth_ldap.erl - function check_password at line 121 now lookes so:

check_password(User, Server, Password) ->
    if Password == "" ->
        false;
    true ->
        Proc = gen_mod:get_module_proc(Server, ?MODULE),
        case catch gen_server:call(Proc,{check_pass, User, Password}, ?REPLY_TIMEOUT) of
            {'EXIT', _} ->
                false;
            Result ->
                Result
        end
    end.

After module was compiled it works fine.
May be it helps anybody.

Re: LDAP authentication bug: incorrect blank passwords handling.

Submitted by xram@jabber.ru on Sat, 2007-01-27 05:46.

I don't see any problem with blank passwords with OpenLDAP:

(ejabberd@localhost)4> ejabberd_auth_ldap:check_password("test", "mydomain", "").
false

Check the configuration of your LDAP server.

»

It's not OpenLDAP

Submitted by kami77 on Tue, 2007-01-30 13:49.

The matter concerns not OpenLDAP but Microsoft Active Directory. May be it's the root of problem.

»

I have the same problem with

Submitted by uvizhe on Mon, 2007-01-29 06:56.

I have the same problem with authorization against AD. Blank passwords are always accepted. Is this a bug of Ejabberd or AD?

»
Syndicate content

User login