View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0003113mantisbtsecuritypublic2003-04-09 09:032004-12-11 03:02
Reporterkarl Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Platformi386OSRedHat LinuxOS Version7.2 and 7.3
Product Version0.18.0a4 
Fixed in Version0.19.2 
Summary0003113: LDAP authentication failure
Description

Once an account is established in Matis and LDAP authentication is being used I can use a blank password to log in. It doesn't matter if a Mantis password is set or if an LDAP password is set or both. A valid password (either Mantis or LDAP) is also OK for successful login.

Steps To Reproduce
  1. Ensure LDAP authentication is enabled
  2. Create a new user in Mantis
  3. Set a password (or not) for the new user
  4. Log in as that user with no password
Additional Information

It's interesting to note that if I use any incorrect password I cannot login.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
has duplicate 0004534 closedvboctor LDAP: Authentication with empty passwort does not fail 
child of 0004818 closedvboctor Mantis 0.19.2 release 

Activities

karl

karl

2003-04-16 06:21

reporter   ~0004182

After further research it appears that if LDAP is set up for anonymous access then a blank password will return TRUE. See the first user comment at http://www.php.net/manual/en/function.ldap-bind.php

This is the work around I used (as I don't allow anonymous access to Mantis):

*** ldap_api.php.orig Wed Apr 16 14:18:37 2003
--- ldap_api.php Fri Apr 11 16:36:43 2003

* 124,129 **
--- 124,133 ----
ldap_free_result( $t_sr );
ldap_unbind( $t_ds );

  • if ( is_blank( $p_password )) {
  • $t_authenticated = false;
  • }
  • return $t_authenticated;

    }
jpmens

jpmens

2004-07-17 00:29

reporter   ~0006101

For 0.19.0a1 I've solved the problem with this patch:

*** ldap_api.php.orig Fri Jul 16 20:30:08 2004
--- ldap_api.php Fri Jul 16 20:31:03 2004

* 99,104 **
--- 99,110 ----
$t_ldap_organization = config_get( 'ldap_organization' );
$t_ldap_root_dn = config_get( 'ldap_root_dn' );

  • if ( is_blank( $p_user_id ) || is_blank( $p_password ) ) {
  • $t_authenticated = false;
  • return $t_authenticated;
  • }
  •         $t_username             = user_get_field( $p_user_id, 'username' );
        $t_search_filter        = "(&$t_ldap_organization(uid=$t_username))";
        $t_search_attrs         = array( 'uid', 'dn' );