acidkewpie
Programmer
Hi,
We have an issue whereby the Active Directory servers are apparently falsely authenticating LDAP auth requests where a blank password is provided. Authentication is as expected when a wrong or right password is provided, but if no password is provided at all, the request is normally also approved. Packet dumps we’ve taken off of the wire have shown that this is down to the response from the AD servers specifically. we can see an LDAP authentication being sent to the server in question from a RADIUS server which contains a null password (seen via ethereal) and the immediate response is a success message, when naturally it should fail like any other password not matching the real one.
has anyone seen any sort of behaviour like this? some little tick box somewhere?
Thanks
Chris
We have an issue whereby the Active Directory servers are apparently falsely authenticating LDAP auth requests where a blank password is provided. Authentication is as expected when a wrong or right password is provided, but if no password is provided at all, the request is normally also approved. Packet dumps we’ve taken off of the wire have shown that this is down to the response from the AD servers specifically. we can see an LDAP authentication being sent to the server in question from a RADIUS server which contains a null password (seen via ethereal) and the immediate response is a success message, when naturally it should fail like any other password not matching the real one.
has anyone seen any sort of behaviour like this? some little tick box somewhere?
Thanks
Chris
