View Issue Details

IDProjectCategoryView StatusLast Update
0003113mantisbtsecuritypublic2004-12-11 03:02
Reporterkarl Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Platformi386OSRedHat LinuxOS Version7.2 and 7.3
Product Version0.18.0a4 
Fixed in Version0.19.2 
Summary0003113: LDAP authentication failure
Description

Once an account is established in Matis and LDAP authentication is being used I can use a blank password to log in. It doesn't matter if a Mantis password is set or if an LDAP password is set or both. A valid password (either Mantis or LDAP) is also OK for successful login.

Steps To Reproduce
  1. Ensure LDAP authentication is enabled
  2. Create a new user in Mantis
  3. Set a password (or not) for the new user
  4. Log in as that user with no password
Additional Information

It's interesting to note that if I use any incorrect password I cannot login.

TagsNo tags attached.

Relationships

has duplicate 0004534 closedvboctor LDAP: Authentication with empty passwort does not fail 
child of 0004818 closedvboctor Mantis 0.19.2 release 

Activities

karl

karl

2003-04-16 06:21

reporter   ~0004182

After further research it appears that if LDAP is set up for anonymous access then a blank password will return TRUE. See the first user comment at http://www.php.net/manual/en/function.ldap-bind.php

This is the work around I used (as I don't allow anonymous access to Mantis):

*** ldap_api.php.orig Wed Apr 16 14:18:37 2003
--- ldap_api.php Fri Apr 11 16:36:43 2003


* 124,129 **
--- 124,133 ----
ldap_free_result( $t_sr );
ldap_unbind( $t_ds );

  • if ( is_blank( $p_password )) {
  • $t_authenticated = false;
  • }
  • return $t_authenticated;

    }

jpmens

jpmens

2004-07-17 00:29

reporter   ~0006101

For 0.19.0a1 I've solved the problem with this patch:

*** ldap_api.php.orig Fri Jul 16 20:30:08 2004
--- ldap_api.php Fri Jul 16 20:31:03 2004


* 99,104 **
--- 99,110 ----
$t_ldap_organization = config_get( 'ldap_organization' );
$t_ldap_root_dn = config_get( 'ldap_root_dn' );

  • if ( is_blank( $p_user_id ) || is_blank( $p_password ) ) {
  • $t_authenticated = false;
  • return $t_authenticated;
  • }
  •         $t_username             = user_get_field( $p_user_id, 'username' );
            $t_search_filter        = "(&$t_ldap_organization(uid=$t_username))";
            $t_search_attrs         = array( 'uid', 'dn' );

Issue History

Date Modified Username Field Change
2003-04-09 09:03 karl New Issue
2003-04-16 06:21 karl Note Added: 0004182
2004-07-17 00:29 jpmens Note Added: 0006101
2004-12-08 07:14 vboctor Relationship added has duplicate 0004534
2004-12-08 07:15 vboctor Assigned To => vboctor
2004-12-08 07:16 vboctor Category bugtracker => security
2004-12-08 07:17 vboctor Status new => resolved
2004-12-08 07:17 vboctor Fixed in Version => 0.19.2
2004-12-08 07:17 vboctor Resolution open => fixed
2004-12-08 07:17 vboctor Relationship added child of 0004818
2004-12-11 03:02 vboctor Status resolved => closed