On 11/1/06 5:08, Peter Walsham <[EMAIL PROTECTED]> wrote:
>
>
> Question
> =============
>
> Leaving aside whether it is bad practice to have blank passwords, I would
> like
> to know:
>
> Which of the following two has the correct LDAP behaviour?
>
> Command line "ldapsearch"
> Perl package "Net::LDAP"
>
> I suspect "ldapsearch" is correct in how it handles binding with blank
> passwords. I am of the opinion that Net::LDAP contains a bug / special
> feature!
>
>
>
>
> Example with "ldapsearch"
> ==============================
>
> Joe Bloggs has a password set but it is empty / blank. Using ldapsearch
> the
> following happens when you search for the details on Joe Bloggs.
>
> 1) Fails: name
> 2) Success: name + password
>
> ldapsearch -h 'localhost' -x -s base -D 'cn=Joe
> Bloggs,ou=London,dc=axomic,dc=com' -b 'cn=Joe
> Bloggs,ou=London,dc=axomic,dc=com'
> ldapsearch -h 'localhost' -x -s base -D 'cn=Joe
> Bloggs,ou=London,dc=axomic,dc=com' -b 'cn=Joe
> Bloggs,ou=London,dc=axomic,dc=com' -w ''
>
> I assume case 1) with just a name in fact just attempts an anonymous bind
> as
> the password is missing.
No, it probably sends a bind with the given DN, and simple credentials of an
empty string. This is called a name-only bind. Obviously it doesn't prove
anything generally although a twisted mind could conceive of it being
meaningful if some lower layer security got negotiated first (e.g. TLS with
a client key.) It would still be relatively pointless in this scenario...
> Example with "Net::LDAP"
> ==============================
>
>
> The following code errors with (in summary):
> resultCode 48
> 'No password, did you mean noauth or anonymous ?'
Yep. The bind method tries to guess what sort of bind you want and punts
like that if it sees a blank password because you /probably/ really wanted a
simple bind. If you really really do want a name-only bind, then you can
avoid the guesswork by stating explicitly:
bind('cn= Joe Bloggs,ou=London,dc=axomic,dc=com',
'noauth' => 1,
'password'=>'' );
Cheers,
Chris
