LDAP authentication success with empty password

1790 views
Skip to first unread message

Miguel Tubía

unread,
Jun 12, 2012, 11:21:23 AM6/12/12
to webpass...@googlegroups.com
Hi all,
I have integrated webpasswordsafe with my AD using ldapAuthenticator. All is working fine, if I introduce the right user/password combination i can login, and if I enter a wrong password the login fails.
BUT if I introduce a valid user with an empty password, I CAN login. Any idea about how to deal with this?
Thanks!!!
Regards.
M.

Jason Lin

unread,
Jun 12, 2012, 11:13:20 PM6/12/12
to webpass...@googlegroups.com
It's better if you set up your active directory to no accept empty password.

Miguel Tubía

unread,
Jun 13, 2012, 4:22:47 AM6/13/12
to webpass...@googlegroups.com
Hi!
in this case, I'm not the AD administrator. AFAIK, this isue can happen when AD accepts anonymous queries, and if you send an user without password, AD doesn't reject the query but it treats it like a anonymous query.
I have made a modification in the code. In LdapAuthenticator.java i have added the following to authenticate method:

if (password==null || password.isEmpty()) {
      LOG.debug("ldap error authenticating: password empty");
 } else {

So the method results:

@Override
    public boolean authenticate(String username, String password)
    {
        boolean valid = false;
        if (password==null || password.isEmpty()) {
            LOG.debug("ldap error authenticating: password empty");
        } else {
            try
            {
                String userFilter = filter.replace("$1", username);
                LOG.debug("ldap filter="+userFilter);
                valid = ldapTemplate.authenticate(base, userFilter, password);
            }
            catch (Exception e)
            {
                // an exception is expected when bad credentials are used
                LOG.debug("ldap error authenticating: "+ e.getMessage());
            }
        }
        LOG.debug("LdapAuthenticator: login success for "+username+"? "+valid);
        return valid;
    }

I had to compile and re-deploy.

Now i's OK. But, if the user has a real empty password, it will not be authenticated (anyway, who has an empty password?).
Regards,
M.

Josh

unread,
Jul 13, 2012, 2:36:20 AM7/13/12
to webpass...@googlegroups.com
I'm sorta curious if other software clients you have act the same way when authenticating with your AD, or it is unique to this application.  But anyway, your custom modification looks good if that is an enforcement that is okay globally in your environment.  Again great to see people are taking advantage of the flexible open source nature of this project.

In a future version I've been thinking about another wrapper authenticator plugin to check for password complexity rules to work in tandem or augment the authentication source(s) other plugin(s) are configured for (most notably for the default localAuthenticator).  A simple case could be denying empty passwords, advanced cases your typical password complexity requirements (length, alpha, numeric, caps, special chars).

Thanks,
~Josh

Wayne Harmsworth

unread,
Feb 11, 2014, 9:30:18 PM2/11/14
to webpass...@googlegroups.com
Thanks heaps for your fix, I did however need to modify slightly as I was unable to recompile.

    @Override
    public boolean authenticate(String username, String password)
    {
        boolean valid = false;
        if (password==null || password.isEmpty()) {
        LOG.debug("ldap error authenticating: password empty");
        return false;

Josh Albright

unread,
Apr 15, 2014, 4:30:17 PM4/15/14
to webpass...@googlegroups.com
I've tested two other software clients, and they both validate the password is blank so I can't validate that AD itself is the issue.  I put in the above code and it prevented the problem.  Honestly, null passwords should be prevented, and your idea of complexity requirements is a good one.

adam...@picotech.com

unread,
Nov 17, 2015, 9:01:34 AM11/17/15
to webpasswordsafe
Also added the change to catch blank passwords

       @Override
    public boolean authenticate(String username, String password)
    {
        boolean valid = false;

        if (password==null || password.isEmpty())
        {
            LOG.debug("ldap error authenticating: password empty");
        }
        else
        {
          try
          {
              String userFilter = filter.replace("$1", username);
              LOG.debug("ldap filter="+userFilter);
              valid = ldapTemplate.authenticate(base, userFilter, password);
          }
          catch (Exception e)
          {
              // an exception is expected when bad credentials are used
              LOG.debug("ldap error authenticating: "+ e.getMessage());
          }
        }

        LOG.debug("LdapAuthenticator: login success for "+username+"? "+valid);
        return valid;
    }

but did not need to add the additional return false 
Reply all
Reply to author
Forward
0 new messages