Forums | Admin Discussion Forums: help Start New Thread Nested Flat Threaded Ultimate Show 25 Show 50 Show 75 Show 100   By: James Hunt RE: Security bug? [ reply ]   2008-03-07 16:27 It's funny, when you run into an issue, google for it, and find your suggested solution. It's even funnier when your solution still doesn't work. To anyone who finds this post in troubleshooting this issues, Barrow's solution is correct. I still don't know if this is an LDAP, AD or Net::LDAP bug, but empty passwords should be filtered before you call bind or bind_as. By: James Hunt RE: Security bug? [ reply ]   2007-07-05 13:40 That sounds like an LDAP Server that is allowing anonymous bind, which is normal. You may want to look into the bind_as method instead of bind, then bind anonymously to the server and attempt a bind_as using the user's credentials (which *should* fail if the credentials are wrong, without attempting an anonymous bind) By: Barrow Kwan Security bug? [ reply ]   2007-07-03 16:17 Not sure if this is a bug or the "bind" function return something else. in the following snippet .... ldap_con = Net::LDAP.new( {:host => ldapserver, :port => ldapport, :auth => { :method => :simple, :username => dn, :password => password}} ) if ldap_con.bind ..... If we put password as blank (ie password = '' ), ldap_con.bind will return true ( or return a valid object ). We are using ldap_con.bind to check something's credential on our app. Now, when user type in a user with a blank password, they can get into our app. I have made a temporary fix by checking the password if it is empty or not. any thoughts?