[Python-modules-team] Bug#823488: python-ldap3: connection switch silently to anonymous bind if password is empty, failing auth

Simone Piccardi piccardi at truelite.it
Thu May 5 08:36:49 UTC 2016 

Package: python-ldap3
Version: 0.9.4.2-1
Severity: important

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***

When creating a connection with the Connection object the code defaults to 
AUTH_ANONYMOUS (doing so an anonymus bind) also when _only_ the password
is empty (not, as said by documentation, when both user and password are 
empty). 

These the lines of /usr/lib/python3/dist-packages/ldap3/core/connection.py
where the problem is:

        self.user = user
        self.password = password
        if self.user and self.password and not authentication:
            self.authentication = AUTH_SIMPLE
        elif not authentication:
            self.authentication = AUTH_ANONYMOUS
        elif authentication in [AUTH_SIMPLE, AUTH_ANONYMOUS, AUTH_SASL]:
            self.authentication = authentication
        else:
            self.last_error = 'unknown authentication method'
            raise LDAPUnknownAuthenticationMethodError(self.last_error)

If password is empty, according to default of None for authentication, the 
first if fails and then is selected the second elif.

That means that you will get a valid object with anonymous bind, 
the user presence will be simply ignored but, and so when you use 
object also to check autentication, looking if you get a connection 
(as it should be), you will got authentication for every user just 
giving an empty password.

That's plain wrong, contrary to what is said in the documentation here:

http://ldap3.readthedocs.io/connections.html

and very dangerous (the more plain way to use the library will bring people 
to enable empty password access for any user). 


-- System Information:
Debian Release: 8.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.4.6-1-pve (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages python-ldap3 depends on:
ii  python-pyasn1  0.1.7-1
pn  python:any     <none>

python-ldap3 recommends no packages.

python-ldap3 suggests no packages.

-- no debconf information

More information about the Python-modules-team mailing list