Full_Name: Johannes Geiger
Version: n/a
OS: Windows, Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (62.245.172.60)
While the documentation of JLDAP states that only authenticated and anonymous
bind are supported, JLDAP silently converts an unauthenticated bind to an
anonymous one.
>From LDAPconnection.java
boolean anonymous = false;
if( passwd.length == 0) {
anonymous = true; // anonymous, passwd length zero with simple bind
dn = ""; // set to null if anonymous
}
(I even think there is a bug in this, as the flag "anonymous" stays on false, if
there is a password given but no dn.)
This is in fact a security issue, as - while unauthenticated bind usually is
forbidden by the server, anonymous bind is allowed - the client using bind for
authentication reasons might be led to believe in successful authentication
whereas the server only accepted an anonymous bind and did not do any credential
verification.
