Correct username/blank password

[Daniele Procida]

We're finding that with a correct LDAP username and blank password,
anyone can log into Django.

This occurs with django_auth_ldap, and previously with ldapauth.

Is this expected behaviour? (I'm certainly surprised.)

I assumed the problem lay in our institution's LDAP setup, but I'm told
it's not so.

If not, it's either in django_auth_ldap or the Python ldap module - but
it must also be in two other completely different systems (ASP.net I
think) we use, that we have discovered have the same problem.

Our colleagues responsible for the LDAP servers have said:

> We've investigated the issue you raised about users being able to
authenticate
> to your systems without providing a password and have not found anyway
that LDAP
> will allow authentication in this way.
>
> It sounds as though the systems are not configured to authenticate
correctly,
> though unfortunately I'm not familiar with them to say why this would be.
>
> My first thoughts would be that either they are not checking against
LDAP at all
> - ie. there's a fault in its set up, or they are performing some sort
of lookup,
> rather than authentication.
>
> The way to test if its the latter is try logging in with no password,
then with
> a wrong, random string as a password. If no password works and the
wrong password
> doesn't, then your system is not properly authenticating but
performing a lookup
> to test for success.

I'd be most grateful for any guidance on how to approach this, or
comments on what really appears to be the issue.

Daniele

[Jeff Schroeder]

On Thu, May 6, 2010 at 2:16 AM, Daniele Procida
<dan...@apple-juice.co.uk> wrote:
> We're finding that with a correct LDAP username and blank password,
> anyone can log into Django.
>
> This occurs with django_auth_ldap, and previously with ldapauth.
>
> Is this expected behaviour? (I'm certainly surprised.)
>
> I assumed the problem lay in our institution's LDAP setup, but I'm told
> it's not so.
>
> If not, it's either in django_auth_ldap or the Python ldap module - but
> it must also be in two other completely different systems (ASP.net I
> think) we use, that we have discovered have the same problem.

Well if you've tried this with django-auth-ldap and ASP.net and the
problem also happens then the problem is your ldap server
configuration. I use django-auth-ldap with openldap and have no
problems at all.

>
> Our colleagues responsible for the LDAP servers have said:
>
>> We've investigated the issue you raised about users being able to
> authenticate
>> to your systems without providing a password and have not found anyway
> that LDAP
>> will allow authentication in this way.
>>
>> It sounds as though the systems are not configured to authenticate
> correctly,
>> though unfortunately I'm not familiar with them to say why this would be.
>>
>> My first thoughts would be that either they are not checking against
> LDAP at all
>> - ie. there's a fault in its set up, or they are performing some sort
> of lookup,
>> rather than authentication.
>>
>> The way to test if its the latter is try logging in with no password,
> then with
>> a wrong, random string as a password. If no password works and the
> wrong password
>> doesn't, then your system is not properly authenticating but
> performing a lookup
>> to test for success.
>
> I'd be most grateful for any guidance on how to approach this, or
> comments on what really appears to be the issue.
>
> Daniele
>
>

--
Jeff Schroeder

Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com

[Di majo]

MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER

Thanks.


NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.

DM ME ON WHATSAPP
+44 7529 555638

[Di majo]