Richard Tector wrote: > The following bug has been logged online: > > Bug reference: 4877 > Logged by: Richard Tector > Email address: rich...@tector.org.uk > PostgreSQL version: 8.3.7 > Operating system: FreeBSD 7.2-RELEASE-p1 > Description: LDAP auth allows empty password string > Details: > > In general the client libraries for PostgreSQL error if an empty password is > used. The JDBC drivers do not, and this has uncovered a problem with the > server's LDAP authentication code. > > When authenticating against Active Directory using the method: > ldap "ldap://osiris.capl.local/dc=capl,dc=local;CAPL\"; > Authentication is successful with both the correct password and an empty > password, so long as a valid user is supplied. Using a non-existent username > or an incorrect password correctly produces an error and the logon fails.
Since this is a security related report, it should have been reported to secur...@postgresql.org, as specified on the web form you used. For this reason, we will follow this up on that forum, and post a public followup once the issue has been investigated. -- Magnus Hagander Self: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
