Your message dated Sat, 14 May 2016 14:56:10 +1000 with message-id <[email protected]> and subject line Re: [Python-modules-team] Bug#823488: Bug#823488: python-ldap3: connection switch silently to anonymous bind if password is empty, failing auth has caused the Debian Bug report #823488, regarding python-ldap3: connection switch silently to anonymous bind if password is empty, failing auth to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 823488: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823488 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: python-ldap3 Version: 0.9.4.2-1 Severity: important Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** When creating a connection with the Connection object the code defaults to AUTH_ANONYMOUS (doing so an anonymus bind) also when _only_ the password is empty (not, as said by documentation, when both user and password are empty). These the lines of /usr/lib/python3/dist-packages/ldap3/core/connection.py where the problem is: self.user = user self.password = password if self.user and self.password and not authentication: self.authentication = AUTH_SIMPLE elif not authentication: self.authentication = AUTH_ANONYMOUS elif authentication in [AUTH_SIMPLE, AUTH_ANONYMOUS, AUTH_SASL]: self.authentication = authentication else: self.last_error = 'unknown authentication method' raise LDAPUnknownAuthenticationMethodError(self.last_error) If password is empty, according to default of None for authentication, the first if fails and then is selected the second elif. That means that you will get a valid object with anonymous bind, the user presence will be simply ignored but, and so when you use object also to check autentication, looking if you get a connection (as it should be), you will got authentication for every user just giving an empty password. That's plain wrong, contrary to what is said in the documentation here: http://ldap3.readthedocs.io/connections.html and very dangerous (the more plain way to use the library will bring people to enable empty password access for any user). -- System Information: Debian Release: 8.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.4.6-1-pve (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages python-ldap3 depends on: ii python-pyasn1 0.1.7-1 pn python:any <none> python-ldap3 recommends no packages. python-ldap3 suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---> As a result, I don't think there is anything I can do with this > report. You could try talking to the security team, however I don't > think this would qualify as a security issue requiring a security > fix. It might also qualify for an update as a point release. No response. Closing. -- Brian May <[email protected]>
--- End Message ---
_______________________________________________ Python-modules-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
