Re: BUG #4877: LDAP auth allows empty password string
| От | Magnus Hagander |
|---|---|
| Тема | Re: BUG #4877: LDAP auth allows empty password string |
| Дата | |
| Msg-id | 4A4211C0.60605@hagander.net обсуждение исходный текст |
| Ответ на | BUG #4877: LDAP auth allows empty password string ("Richard Tector" <richard@tector.org.uk>) |
| Список | pgsql-bugs |
Richard Tector wrote: > The following bug has been logged online: > > Bug reference: 4877 > Logged by: Richard Tector > Email address: richard@tector.org.uk > PostgreSQL version: 8.3.7 > Operating system: FreeBSD 7.2-RELEASE-p1 > Description: LDAP auth allows empty password string > Details: > > In general the client libraries for PostgreSQL error if an empty password is > used. The JDBC drivers do not, and this has uncovered a problem with the > server's LDAP authentication code. > > When authenticating against Active Directory using the method: > ldap "ldap://osiris.capl.local/dc=capl,dc=local;CAPL\" > Authentication is successful with both the correct password and an empty > password, so long as a valid user is supplied. Using a non-existent username > or an incorrect password correctly produces an error and the logon fails. Since this is a security related report, it should have been reported to security@postgresql.org, as specified on the web form you used. For this reason, we will follow this up on that forum, and post a public followup once the issue has been investigated. -- Magnus Hagander Self: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
В списке pgsql-bugs по дате отправления: