LDAP 绑定似乎 return true 密码为空
LDAP Bind seems to return true with blank password
我有这段代码可以根据 LDAP 目录对我的用户进行身份验证。它 returns false 当密码不正确时,但如果密码留空,它无论如何都会对用户进行身份验证。知道为什么会发生这种情况吗?
if (@ldap_bind($ds, $user_dn, $password) || sha1($password) == '484h84h4hf4Ffwj49393393j93j')
{
$valid = true;
}
else $valid = false;
如果您提供空密码,则它向目录服务器表明您正在执行匿名简单绑定。此行为在 RFC 2251 第 4.2.2 节中描述:
If no authentication is to be performed, then the simple
authentication option MUST be chosen, and the password be of zero
length. (This is often done by LDAPv2 clients.) Typically the DN is
also of zero length.
这可能是 LDAP 客户端中一个非常常见的安全漏洞,因为如果他们不验证用户提供的密码是否为空,而是尝试使用非空 DN 和空密码进行绑定,那么他们可以看到它成功了,当服务器没有绑定为提供的 DN 指定的用户而是匿名绑定时。因为这是 LDAP 客户端中的一个常见安全问题,一些服务器拒绝具有非空 DN 但密码为空的绑定请求,并且最新的 LDAPv3 规范鼓励这种行为,如 RFC 4513 第 5.1.2 节所示:
An LDAP client may use the unauthenticated authentication mechanism
of the simple Bind method to establish an anonymous authorization
state by sending a Bind request with a name value (a distinguished
name in LDAP string form [RFC4514] of non-zero length) and specifying
the simple authentication choice containing a password value of zero
length.
The distinguished name value provided by the client is intended to be
used for trace (e.g., logging) purposes only. The value is not to be
authenticated or otherwise validated (including verification that the
DN refers to an existing directory object). The value is not to be
used (directly or indirectly) for authorization purposes.
Unauthenticated Bind operations can have significant security issues
(see Section 6.3.1). In particular, users intending to perform
Name/Password Authentication may inadvertently provide an empty
password and thus cause poorly implemented clients to request
Unauthenticated access. Clients SHOULD be implemented to require
user selection of the Unauthenticated Authentication Mechanism by
means other than user input of an empty password. Clients SHOULD
disallow an empty password input to a Name/Password Authentication
user interface. Additionally, Servers SHOULD by default fail
Unauthenticated Bind requests with a resultCode of
unwillingToPerform.
听起来您的服务器没有这样做。如果它有这样做的选项,那么我强烈建议打开它。但无论如何,使用简单绑定操作来验证用户凭据的设计良好的 LDAP 客户端应该在尝试使用它绑定到服务器之前绝对验证用户是否提供了非空字符串。
我有这段代码可以根据 LDAP 目录对我的用户进行身份验证。它 returns false 当密码不正确时,但如果密码留空,它无论如何都会对用户进行身份验证。知道为什么会发生这种情况吗?
if (@ldap_bind($ds, $user_dn, $password) || sha1($password) == '484h84h4hf4Ffwj49393393j93j')
{
$valid = true;
}
else $valid = false;
如果您提供空密码,则它向目录服务器表明您正在执行匿名简单绑定。此行为在 RFC 2251 第 4.2.2 节中描述:
If no authentication is to be performed, then the simple
authentication option MUST be chosen, and the password be of zero
length. (This is often done by LDAPv2 clients.) Typically the DN is
also of zero length.
这可能是 LDAP 客户端中一个非常常见的安全漏洞,因为如果他们不验证用户提供的密码是否为空,而是尝试使用非空 DN 和空密码进行绑定,那么他们可以看到它成功了,当服务器没有绑定为提供的 DN 指定的用户而是匿名绑定时。因为这是 LDAP 客户端中的一个常见安全问题,一些服务器拒绝具有非空 DN 但密码为空的绑定请求,并且最新的 LDAPv3 规范鼓励这种行为,如 RFC 4513 第 5.1.2 节所示:
An LDAP client may use the unauthenticated authentication mechanism
of the simple Bind method to establish an anonymous authorization
state by sending a Bind request with a name value (a distinguished
name in LDAP string form [RFC4514] of non-zero length) and specifying
the simple authentication choice containing a password value of zero
length.
The distinguished name value provided by the client is intended to be
used for trace (e.g., logging) purposes only. The value is not to be
authenticated or otherwise validated (including verification that the
DN refers to an existing directory object). The value is not to be
used (directly or indirectly) for authorization purposes.
Unauthenticated Bind operations can have significant security issues
(see Section 6.3.1). In particular, users intending to perform
Name/Password Authentication may inadvertently provide an empty
password and thus cause poorly implemented clients to request
Unauthenticated access. Clients SHOULD be implemented to require
user selection of the Unauthenticated Authentication Mechanism by
means other than user input of an empty password. Clients SHOULD
disallow an empty password input to a Name/Password Authentication
user interface. Additionally, Servers SHOULD by default fail
Unauthenticated Bind requests with a resultCode of
unwillingToPerform.
听起来您的服务器没有这样做。如果它有这样做的选项,那么我强烈建议打开它。但无论如何,使用简单绑定操作来验证用户凭据的设计良好的 LDAP 客户端应该在尝试使用它绑定到服务器之前绝对验证用户是否提供了非空字符串。