From 8eeb47279a5a4559d9d7f911250d6164ab120897 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Wed, 18 Aug 2010 12:57:43 -0400 Subject: [PATCH 9/9] Treat a zero-length password as a failure Some LDAP servers allow binding with blank passwords. We should not allow a blank password to authenticate the SSSD. --- src/providers/ldap/ldap_auth.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index b05e3075ce117fad17b87ffde257c80fc035b8c4..1a959d4cc45980fe5dd12db3460cc23f341466fd 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -557,6 +557,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, req = tevent_req_create(memctx, &state, struct auth_state); if (!req) return NULL; + /* Treat a zero-length password as a failure */ + if (password.length == 0) { + state->result = SDAP_AUTH_FAILED; + tevent_req_done(req); + return tevent_req_post(req, ev); + } + state->ev = ev; state->ctx = ctx; state->username = username; -- 1.7.2.1