Closed kamaradclimber closed 5 years ago
Since merge of https://github.com/ContainX/marathon-ldap/pull/23, master branch of this repository allows anyone to authenticate as any (existing) user in ldap.
To reproduce:
{username}
This issue was introduced by https://github.com/ContainX/marathon-ldap/commit/a778d9de1b7191bddfbe596fc5827b27257c19bb which remove step where user password is validated (by always using bind credentials).
Since merge of https://github.com/ContainX/marathon-ldap/pull/23, master branch of this repository allows anyone to authenticate as any (existing) user in ldap.
To reproduce:
{username}
but be a real username)This issue was introduced by https://github.com/ContainX/marathon-ldap/commit/a778d9de1b7191bddfbe596fc5827b27257c19bb which remove step where user password is validated (by always using bind credentials).