It is a good article with good analysis. I do think it would be a useful
feature to have a bit to flip for simple bind to be forced to fail with
blank password, even though this would go against the RFC spec. I also
think it is interesting that since ADAM is actually doing some sort of
secure authentication to AD, this bind attempt does actually up the bad pwd
count and can result in user lockout.
Another scenario that is interesting with blank passwords is that
potentially an ADAM or AD user could have an actual blank password. It then
becomes very difficult to tell them apart from a bind attempt. I remember
Dmitri discussing this on the newsgroups a ways back, although as I recall,
he seemed to believe this was an inevitable consequence of the spec.
Besides the DCR, I think all you can do is validate on the application side
(but you already knew that).
Joe K.
----- Original Message -----
From: "Jef Kazimer" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Thursday, September 28, 2006 7:53 PM
Subject: [ActiveDir] ADAM bind Redirection with a NULL password
Since there has been talk of LDAP "Authentication" as of late, I figured
I'd post my issue of poorly developed applications allowing a null
password to an ADAM instance using Bind Redirection.
http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry
I'd be curious if a bit flip to shut down this possibility could be put in
control of the directory Admin, instead of relying on the developers.
Thanks,
Jef Kazimer
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx