Closed tasptz closed 6 years ago
uilianries
commented
6 years ago I agree!
Empty password could be a real problem, however the RFC doesn't forbidden the usage, it strongly advice to avoid this approach.
I'll put a warning message, reporting the empty data, but just because it's not forbidden. Otherwise, I would raise an error.
Thanks for report!
uilianries
commented
6 years ago Well, reading again I found:
Additionally, Servers SHOULD by default fail Unauthenticated Bind requests
So, in this case, I think that we should raise an error to avoid empty password.
uilianries
commented
6 years ago @tasptz Release 0.2.0 is done!
It contains this new behavior. Please, update.
https://github.com/uilianries/conan-ldap-authentication/blob/9eaab4bcaf2427532c536b5eedcd1d44010e3d3f/conan/ldap_authentication.py#L131
This line does not throw an exception if I submit an empty password and therefore accepts the login!
It is actually this problem: https://www.jfrog.com/jira/browse/RTFACT-3378
If the conclusion is, that it is not a problem of this module but the ldap server I suggest to at least warn users of this possible issue.