[seam-issues] [JBoss JIRA] Created: (JBSEAM-4635) LdapIdentityStore is unsecure if anonymous LDAP bind is enabled at the LDAP server

LdapIdentityStore is unsecure if anonymous LDAP bind is enabled at the LDAP server ---------------------------------------------------------------------------------- Key: JBSEAM-4635 URL: https://jira.jboss.org/jira/browse/JBSEAM-4635 Project: Seam Issue Type: Bug Components: Security Affects Versions: 2.2.0.GA Environment: - Reporter: Flo Gle According to RFC 2829 section 5.1 a ldap server may accept a empty password as anonymous login and allow the bind. RFC 4513 section 5.1.2 establishes new rules for the anonymous bind, but it disallows not the old method. So if the ldap client sends a empty password string, the server can allow the bind. Using the LdapIdentityStore on a server that allows this binds results in a security problem: every username is accepted if the password is empty. Fix is easy. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira