diff options
| author | Charles Sarrazin <charles.sarrazin@sensiolabs.com> | 2016-02-18 12:25:21 +0100 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2016-05-09 14:32:30 -0500 |
| commit | 41bd59c6e04c433c9d0bcd53d8524226fb3aeb3a (patch) | |
| tree | 53a3db8ca9a4b9c80cd72ecb390fde1af47c6895 /Core/Tests/Authentication/AuthenticationProviderManagerTest.php | |
| parent | 069e08a5fa994d2b855fa050fdc1dace50c32113 (diff) | |
| download | symfony-security-41bd59c6e04c433c9d0bcd53d8524226fb3aeb3a.zip symfony-security-41bd59c6e04c433c9d0bcd53d8524226fb3aeb3a.tar.gz symfony-security-41bd59c6e04c433c9d0bcd53d8524226fb3aeb3a.tar.bz2 | |
Fixed issue with blank password with Ldap
The bind operation of LDAP, as described in RFC 4513, provides a method
which allows for authentication of users. For the Simple Authentication
Method a user may use the anonymous authentication mechanism, the
unauthenticated authentication mechanism, or the name/password
authentication mechanism. The unauthenticated authentication mechanism
is used when a client who desires to establish an anonymous
authorization state passes a non-zero length distinguished name and a
zero length password. Most LDAP servers either can be configured to
allow this mechanism or allow it by default.
_Web-based applications which perform the simple bind operation with the
client's credentials are at risk when an anonymous authorization state is
established. This can occur when the web-based application passes a
distinguished name and a zero length password to the LDAP server._
Thus, misconfiguring a server with simple bind can trick Symfony into
thinking the username/password tuple as valid, potentially leading to
unauthorized access.
Diffstat (limited to 'Core/Tests/Authentication/AuthenticationProviderManagerTest.php')
0 files changed, 0 insertions, 0 deletions