spring-ldap icon indicating copy to clipboard operation
spring-ldap copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

LdapTemplate authenticate returns true when empty password is provided

Open dpmesa opened this issue 8 years ago • 7 comments

Hi, Calling the authenticate(Name base, String filter, String password) method on an LdapTemplate connected to AD is returning true when an empty password is provided. Is this the intended behavior? See code snippet below:

AndFilter filter = new AndFilter(); filter.and(new EqualsFilter("objectclass", "person")); filter.and(new EqualsFilter("sAMAccountName", "myid")); boolean rsp = template.authenticate(LdapUtils.emptyLdapName(), filter.toString(), ""));

Thank you

dpmesa avatar Jun 15 '16 19:06 dpmesa

@dpmesa I try to reproduce against a LDAP server and it returned false, as we expect. I am assuming the same behaviour against AD but perhaps I am wrong.

/cc @rwinch

eddumelendez avatar Jun 17 '16 06:06 eddumelendez

I may be wrong, but I think AD is a little bit special here: I think you need to perform some operation using the connection in order for it to actually be authenticated when running against AD.

There's support for this, as described in the reference documentation here: http://docs.spring.io/spring-ldap/docs/current/reference/#operationsOnAuthenticatedContext

marthursson avatar Jun 17 '16 06:06 marthursson

I just discovered a discrepancy in the API documentation and the actual implementation.

TLDR - Provide a callback

Instead of: template.authenticate(LdapUtils.emptyLdapName(), filter.toString(), "")); Do: template.authenticate(LdapUtils.emptyLdapName(), filter.toString(), "", new LookupAttemptingCallback()));

The method docs for authenticate state:

Utility method to perform a simple LDAP 'bind' authentication. Search for the LDAP entry to authenticate using the supplied base DN and filter; use the DN of the found entry together with the password as input to {@link ContextSource#getContext(String, String)}, thus authenticating the entry. The resulting DirContext instance is then used as input to the supplied {@link AuthenticatedLdapEntryContextCallback} to perform any additional LDAP operations against the authenticated DirContext.

This is very misleading given that the overloaded method implementation is:

    public boolean authenticate(Name base, String filter, String password) {
		return authenticate(base, filter, password,
				new NullAuthenticatedLdapEntryContextCallback(),
				new NullAuthenticationErrorCallback());
	}

And the NullAuthenticatedLdapEntryContextCallback does nothing to validate the password.

codecounselor avatar Feb 14 '18 19:02 codecounselor

I should add that I was testing against an instance of https://github.com/osixia/docker-openldap which is OpenLDAP. Perhaps the behaves differently against other LDAP servers.

codecounselor avatar Feb 14 '18 20:02 codecounselor

This issue just caused a huge security vulnerability with us. It first worked correctly, but after AD reconfiguration by another team this opened up our applications to passwordless logins.

At the very least, this should be in the javadoc, since the current documentation fully implies correct authentication.

stefnoten avatar Sep 20 '19 08:09 stefnoten

Future traveler from 2021. We've just found this. Couldn't believe that it's been opened in 2016.

lazystone avatar May 19 '21 11:05 lazystone

Any updates on this? Perhaps password validation could be implemented by default, especially for the authenticate method?

WakaWakaMan avatar Mar 14 '23 13:03 WakaWakaMan