Treat a zero-length password as a failure

Some LDAP servers allow binding with blank passwords. We should not allow a blank password to authenticate the SSSD.
SSSD · Aug 24, 2010 · 6094a2e · 6094a2e
1 parent 976e5c7
commit 6094a2e
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
@@ -458,6 +458,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
     req = tevent_req_create(memctx, &state, struct auth_state);
     if (!req) return NULL;
 
+    /* Treat a zero-length password as a failure */
+    if (password.length == 0) {
+        state->result = SDAP_AUTH_FAILED;
+        tevent_req_done(req);
+        return tevent_req_post(req, ev);
+    }
+
     state->ev = ev;
     state->ctx = ctx;
     state->username = username;