Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Fri, 11 Apr 2008 18:30:47 +0530,    group: microsoft.public.platformsdk.active.directory        back       


Blank Password with bind    
Hi,

I run the following program against an Active Directory.

#include <stdlib.h>
#include <stdio.h>
#include <windows.h>
#include <winldap.h>

int main ()
{
    LDAP *pldap;

    if(!(pldap = ldap_init("adname.mycompany.com", 389)))
    {
        puts("ldap_initialize failed");
        return EXIT_FAILURE;
    }

     int desired_version = LDAP_VERSION3;
    if (ldap_set_option(pldap, LDAP_OPT_PROTOCOL_VERSION, &desired_version)
!= LDAP_SUCCESS)
    {
        puts("ldap_set_option failed!");
        return EXIT_FAILURE;
    }

    char * usr = "CN=myusrname,CN=Users,DC=adname,DC=mycompany,DC=com";
    char * pwd = ""; // Blank Password

    if(ldap_bind_s(pldap,usr,pwd,LDAP_AUTH_SIMPLE) != LDAP_SUCCESS)
    {
        puts("ldap_bind_s TestUsr failed!");
        return EXIT_FAILURE;
    }

    puts("Success");
    return EXIT_SUCCESS;
}

ldap_bind_s returns success - even if pwd = ""
Otoh, if I change pwd = "WrongPwd", it fails.

So why is AD treating a valid usrname with null password as an anonymous
bind?
Other LDAP servers, I have tried this against, treat only null usrname &
null passwd
as an anonymous bind?

This code is present in my application which uses an ldap directory for
authentication
purposes. Is the only way to prevent anonymous binds is reject any pwd which
is null
rather than passing it to AD?

I would rather not change settings in the Active Directory configuration,
because I
wish my app to work against any LDAP configuration. However, if there are
any such settings, I would like to identify them.
date: Fri, 11 Apr 2008 18:30:47 +0530   author:   Kopy

Old Msg by Dmitri Gavrilov [ Re: Blank Password with bind ]    
No response yet.
I searched the archive & this is what I found.
http://groups.google.co.in/group/microsoft.public.platformsdk.active.directory/msg/efbdbcf73ab072c7

"Simple bind with empty pwd never fails. If user does not
exist or pwd does not match, then we treat this as "become anonymous"
request. "

So looks like this is by Design for Active Directory.
Just one question - is there a way to figure out whether Bind succeeded as 
anonymous
or as a real bind? Is there something to find out if the Bind succeeded 
because the user's
actual password was indeed null or not? I suspect not, but asking anyway.


"Kopy"  wrote in message news:ftnne5$cfn$1@news.datemas.de...
> Hi,
>
> I run the following program against an Active Directory.
>
> #include <stdlib.h>
> #include <stdio.h>
> #include <windows.h>
> #include <winldap.h>
>
> int main ()
> {
>    LDAP *pldap;
>
>    if(!(pldap = ldap_init("adname.mycompany.com", 389)))
>    {
>        puts("ldap_initialize failed");
>        return EXIT_FAILURE;
>    }
>
>     int desired_version = LDAP_VERSION3;
>    if (ldap_set_option(pldap, LDAP_OPT_PROTOCOL_VERSION, &desired_version)
> != LDAP_SUCCESS)
>    {
>        puts("ldap_set_option failed!");
>        return EXIT_FAILURE;
>    }
>
>    char * usr = "CN=myusrname,CN=Users,DC=adname,DC=mycompany,DC=com";
>    char * pwd = ""; // Blank Password
>
>    if(ldap_bind_s(pldap,usr,pwd,LDAP_AUTH_SIMPLE) != LDAP_SUCCESS)
>    {
>        puts("ldap_bind_s TestUsr failed!");
>        return EXIT_FAILURE;
>    }
>
>    puts("Success");
>    return EXIT_SUCCESS;
> }
>
> ldap_bind_s returns success - even if pwd = ""
> Otoh, if I change pwd = "WrongPwd", it fails.
>
> So why is AD treating a valid usrname with null password as an anonymous
> bind?
> Other LDAP servers, I have tried this against, treat only null usrname &
> null passwd
> as an anonymous bind?
>
> This code is present in my application which uses an ldap directory for
> authentication
> purposes. Is the only way to prevent anonymous binds is reject any pwd 
> which
> is null
> rather than passing it to AD?
>
> I would rather not change settings in the Active Directory configuration,
> because I
> wish my app to work against any LDAP configuration. However, if there are
> any such settings, I would like to identify them.
>
>
>
date: Mon, 14 Apr 2008 09:42:38 +0530   author:   Kopy

Re: Old Msg by Dmitri Gavrilov [ Re: Blank Password with bind ]    
If the domain allows blank passwords (not a good policy, but some do) and 
you are using simple bind, then no.  Secure bind will allow you to 
differentiate.

Joe K.
-- 
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Kopy"  wrote in message news:ftuljo$iia$1@news.datemas.de...
> No response yet.
> I searched the archive & this is what I found.
> http://groups.google.co.in/group/microsoft.public.platformsdk.active.directory/msg/efbdbcf73ab072c7
>
> "Simple bind with empty pwd never fails. If user does not
> exist or pwd does not match, then we treat this as "become anonymous"
> request. "
>
> So looks like this is by Design for Active Directory.
> Just one question - is there a way to figure out whether Bind succeeded as 
> anonymous
> or as a real bind? Is there something to find out if the Bind succeeded 
> because the user's
> actual password was indeed null or not? I suspect not, but asking anyway.
>
>
> "Kopy"  wrote in message 
> news:ftnne5$cfn$1@news.datemas.de...
>> Hi,
>>
>> I run the following program against an Active Directory.
>>
>> #include <stdlib.h>
>> #include <stdio.h>
>> #include <windows.h>
>> #include <winldap.h>
>>
>> int main ()
>> {
>>    LDAP *pldap;
>>
>>    if(!(pldap = ldap_init("adname.mycompany.com", 389)))
>>    {
>>        puts("ldap_initialize failed");
>>        return EXIT_FAILURE;
>>    }
>>
>>     int desired_version = LDAP_VERSION3;
>>    if (ldap_set_option(pldap, LDAP_OPT_PROTOCOL_VERSION, 
>> &desired_version)
>> != LDAP_SUCCESS)
>>    {
>>        puts("ldap_set_option failed!");
>>        return EXIT_FAILURE;
>>    }
>>
>>    char * usr = "CN=myusrname,CN=Users,DC=adname,DC=mycompany,DC=com";
>>    char * pwd = ""; // Blank Password
>>
>>    if(ldap_bind_s(pldap,usr,pwd,LDAP_AUTH_SIMPLE) != LDAP_SUCCESS)
>>    {
>>        puts("ldap_bind_s TestUsr failed!");
>>        return EXIT_FAILURE;
>>    }
>>
>>    puts("Success");
>>    return EXIT_SUCCESS;
>> }
>>
>> ldap_bind_s returns success - even if pwd = ""
>> Otoh, if I change pwd = "WrongPwd", it fails.
>>
>> So why is AD treating a valid usrname with null password as an anonymous
>> bind?
>> Other LDAP servers, I have tried this against, treat only null usrname &
>> null passwd
>> as an anonymous bind?
>>
>> This code is present in my application which uses an ldap directory for
>> authentication
>> purposes. Is the only way to prevent anonymous binds is reject any pwd 
>> which
>> is null
>> rather than passing it to AD?
>>
>> I would rather not change settings in the Active Directory configuration,
>> because I
>> wish my app to work against any LDAP configuration. However, if there are
>> any such settings, I would like to identify them.
>>
>>
>>
>
>
date: Sun, 13 Apr 2008 23:32:23 -0500   author:   Joe Kaplan

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us