summaryrefslogtreecommitdiffstats
path: root/server/providers/ldap/ldap_auth.c
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2010-08-18 12:57:43 -0400
committerStephen Gallagher <sgallagh@redhat.com>2010-08-24 12:45:12 -0400
commit6094a2eec52a6f4391a657fbfc519f926bd4ce21 (patch)
treecc04dbb9e9a910984503be2c1903d36feceea965 /server/providers/ldap/ldap_auth.c
parent976e5c721fc4e99c4255370108795138a9c5d99b (diff)
downloadsssd-1_0_7.tar.gz
sssd-1_0_7.tar.xz
sssd-1_0_7.zip
Treat a zero-length password as a failuresssd-1_0_7
Some LDAP servers allow binding with blank passwords. We should not allow a blank password to authenticate the SSSD.
Diffstat (limited to 'server/providers/ldap/ldap_auth.c')
-rw-r--r--server/providers/ldap/ldap_auth.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
index 28b3240b3..5df4dbb43 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -458,6 +458,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
req = tevent_req_create(memctx, &state, struct auth_state);
if (!req) return NULL;
+ /* Treat a zero-length password as a failure */
+ if (password.length == 0) {
+ state->result = SDAP_AUTH_FAILED;
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
state->ev = ev;
state->ctx = ctx;
state->username = username;