Last post Jun 09, 2010 06:45 PM by moses48
Jun 02, 2010 08:08 PM|moses48|LINK
Ok, so I have some simple code authenticating users against an LDAP. This works fine and dandy against most LDAPs except AD LDAP. What is happening is we get the users DN and then try to bind with that DN and the password the user passed in. We are using
simple bind. If the password is invalid, we get the "invalid credentials - error 49" as expected. If the password is empty i get a successful bind. All my other LDAP servers (openLDAP, sidVault, etc, etc) will give me an invalid credentials on the empty
password. Is there any way to set up the AD LDAP so that it will not accept binds without passwords?
Any info on this would be appreciated.
Jun 09, 2010 06:45 PM|moses48|LINK
After some research I found how my client should be fixed. But also, I would still like to know how to setup the ldap server to do what all my other ldap servers do: give an unwilling to perform response.
Ldap standard is here:
Excerpt from standard Section 5.1.2:
Clients SHOULD be implemented to require user selection of the Unauthenticated Authentication Mechanism by means other than user input of an empty password. Clients SHOULD disallow an empty password input to a Name/Password Authentication user interface. Additionally, Servers SHOULD by default fail Unauthenticated Bind requests with a resultCode of unwillingToPerform.
I will edit my code and fix this. But I have customers that are using the current code and don't know how to configure their AD to respond with unwillingtoPerform. Honestly, I am unfamiliar with AD LDAP.