Question
=============
Leaving aside whether it is bad practice to have blank passwords, I would
like
to know:
Which of the following two has the correct LDAP behaviour?
Command line "ldapsearch"
Perl package "Net::LDAP"
I suspect "ldapsearch" is correct in how it handles binding with blank
passwords. I am of the opinion that Net::LDAP contains a bug / special
feature!
Example with "ldapsearch"
==============================
Joe Bloggs has a password set but it is empty / blank. Using ldapsearch
the
following happens when you search for the details on Joe Bloggs.
1) Fails: name
2) Success: name + password
ldapsearch -h 'localhost' -x -s base -D 'cn=Joe
Bloggs,ou=London,dc=axomic,dc=com' -b 'cn=Joe
Bloggs,ou=London,dc=axomic,dc=com'
ldapsearch -h 'localhost' -x -s base -D 'cn=Joe
Bloggs,ou=London,dc=axomic,dc=com' -b 'cn=Joe
Bloggs,ou=London,dc=axomic,dc=com' -w ''
I assume case 1) with just a name in fact just attempts an anonymous bind
as
the password is missing.
Example with "Net::LDAP"
==============================
The following code errors with (in summary):
resultCode 48
'No password, did you mean noauth or anonymous ?'
#!/usr/bin/perl
use strict;
use warnings;
use Data::Dumper;
use Net::LDAP;
my $ldapServer = new Net::LDAP('ldap://localhost',
'port' =>'389',
'timeout'=>'2');
my $message = $ldapServer->
bind('cn=Joe Bloggs,ou=London,dc=axomic,dc=com',
'password'=>'');
if ($message->is_error()) {
print "***Bind Error\n";
print Dumper($message);
} else {
my $search = $ldapServer->
search('base' =>'cn=Joe Bloggs,ou=London,dc=axomic,dc=com',
'filter'=>'(objectClass=user)',
'scope' =>'base');
print Dumper($search);
}
Test Hack
==============
As a test hack I tried commenting out the lines below, but as far as I can
tell it is still trying an anonymous bind.
Using the bundle perl-ldap-0.3202
Net/LDAP.pm line 318 and 319
##########
return _error($ldap, $mesg, LDAP_INAPPROPRIATE_AUTH, "No password, did you
mean noauth or anonymous ?")
if $type eq 'simple' and $passwd eq '';
##########
I followed the code through for a while to look at the packets sent on the
wire but kind of ran out of steam.
Net/LDAP/ASN.pm (Net::LDAP::ASN 0.0.3)
Convert/ASN1.pm (Convert::ASN1 0.18)
Convert/ASN1/_encode.pm (Convert::ASN1 0.18)
Convert::ASN1->prepare
Convert::ASN1->encode
Convert::ASN1->_encode
Work Around
================
Comment out the lines mentioned above in...
Net/LDAP.pm line 318 and 319
If a user gives a blank password, rather than just trying a bind with
their
name and password, do a bind then search for their details. This will tell
you whether the bind really was successful.
#!/usr/bin/perl
use strict;
use warnings;
use Data::Dumper;
use Net::LDAP;
my $ldapServer = new Net::LDAP('ldap://localhost',
'port' =>'389',
'timeout'=>'2');
my $dn = 'cn=Joe Bloggs,ou=London,dc=axomic,dc=com';
my $password = '';
my $message = $ldapServer->bind($dn,'password'=>$password);
my $success;
if ($password) {
$success = $message->is_error()?'0':'1';
} else {
my $search = $ldapServer->
search('base' =>$dn,
'filter'=>'(objectClass=user)',
'scope' =>'base');
$success = $search->{'resultCode'}?'0':'1';
}
print $success?"Success\n":"Failure\n";
Somebody Else With The Same Issue
======================================
http://www.nntp.perl.org/group/perl.ldap/512
OpenAsset - Image Management for Architects, Designers & Engineers
Axomic Ltd
338 City Road
London EC1V 2PY
t: +44 (0)20 7239 8287
m: +44 (0)7812 122418
http://www.axomic.com
