Mercurial Mercurial > pub > hg > cubicweb / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
do not allow password-less bind: windows accepts this as Anonymous Logon stable
authorAlexandre Fayolle <alexandre.fayolle@logilab.fr>
Sat, 26 Jun 2010 08:42:48 +0000
branchstable
changeset 5836 e654c13b57b8
parent 5835 4125a8021956
child 5837 67c722b36f7c
do not allow password-less bind: windows accepts this as Anonymous Logon
server/sources/ldapuser.py file | annotate | diff | comparison | revisions 
--- a/server/sources/ldapuser.py	Fri Jun 25 11:29:48 2010 +0200
+++ b/server/sources/ldapuser.py	Sat Jun 26 08:42:48 2010 +0000
@@ -293,7 +293,13 @@
             raise AuthenticationError()
         # check password by establishing a (unused) connection
         try:
-            self._connect(user, password)
+            if password:
+                self._connect(user, password)
+            else:
+                # On Windows + ADAM this would have succeeded (!!!)
+                # You get Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.
+                # we really really don't want that
+                raise Exception('No password provided')
         except Exception, ex:
             self.info('while trying to authenticate %s: %s', user, ex)
             # Something went wrong, most likely bad credentials
cubicweb