Kopy
17 years ago
Hi,
I run the following program against an Active Directory.
#include <stdlib.h>
#include <stdio.h>
#include <windows.h>
#include <winldap.h>
int main ()
{
LDAP *pldap;
if(!(pldap = ldap_init("adname.mycompany.com", 389)))
{
puts("ldap_initialize failed");
return EXIT_FAILURE;
}
int desired_version = LDAP_VERSION3;
if (ldap_set_option(pldap, LDAP_OPT_PROTOCOL_VERSION, &desired_version)
!= LDAP_SUCCESS)
{
puts("ldap_set_option failed!");
return EXIT_FAILURE;
}
char * usr = "CN=myusrname,CN=Users,DC=adname,DC=mycompany,DC=com";
char * pwd = ""; // Blank Password
if(ldap_bind_s(pldap,usr,pwd,LDAP_AUTH_SIMPLE) != LDAP_SUCCESS)
{
puts("ldap_bind_s TestUsr failed!");
return EXIT_FAILURE;
}
puts("Success");
return EXIT_SUCCESS;
}
ldap_bind_s returns success - even if pwd = ""
Otoh, if I change pwd = "WrongPwd", it fails.
So why is AD treating a valid usrname with null password as an anonymous
bind?
Other LDAP servers, I have tried this against, treat only null usrname &
null passwd
as an anonymous bind?
This code is present in my application which uses an ldap directory for
authentication
purposes. Is the only way to prevent anonymous binds is reject any pwd which
is null
rather than passing it to AD?
I would rather not change settings in the Active Directory configuration,
because I
wish my app to work against any LDAP configuration. However, if there are
any such settings, I would like to identify them.
I run the following program against an Active Directory.
#include <stdlib.h>
#include <stdio.h>
#include <windows.h>
#include <winldap.h>
int main ()
{
LDAP *pldap;
if(!(pldap = ldap_init("adname.mycompany.com", 389)))
{
puts("ldap_initialize failed");
return EXIT_FAILURE;
}
int desired_version = LDAP_VERSION3;
if (ldap_set_option(pldap, LDAP_OPT_PROTOCOL_VERSION, &desired_version)
!= LDAP_SUCCESS)
{
puts("ldap_set_option failed!");
return EXIT_FAILURE;
}
char * usr = "CN=myusrname,CN=Users,DC=adname,DC=mycompany,DC=com";
char * pwd = ""; // Blank Password
if(ldap_bind_s(pldap,usr,pwd,LDAP_AUTH_SIMPLE) != LDAP_SUCCESS)
{
puts("ldap_bind_s TestUsr failed!");
return EXIT_FAILURE;
}
puts("Success");
return EXIT_SUCCESS;
}
ldap_bind_s returns success - even if pwd = ""
Otoh, if I change pwd = "WrongPwd", it fails.
So why is AD treating a valid usrname with null password as an anonymous
bind?
Other LDAP servers, I have tried this against, treat only null usrname &
null passwd
as an anonymous bind?
This code is present in my application which uses an ldap directory for
authentication
purposes. Is the only way to prevent anonymous binds is reject any pwd which
is null
rather than passing it to AD?
I would rather not change settings in the Active Directory configuration,
because I
wish my app to work against any LDAP configuration. However, if there are
any such settings, I would like to identify them.