Before doing any bind check that the provided username is not NULL and that the

password is neither NULL nor empty.

Binds with empty passwords always succeed, but in case the password of the
user was not empty subsequent LDAP operations fail.
This causes authentications that use user supplied credentials
(AuthLDAPInitialBindAsUser set to on) to fail with status code 500 instead of
401 if the user supplied an empty password.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885940 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 592c1ef3ed81dcb80ab1c58d695968b88b78f984..aed5b1eb049d4bc4953ac5b3f1061f7ec77018e5 100644 (file)
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -539,6 +539,32 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user,
         return AUTH_GENERAL_ERROR;
     }
 
+    /* Get the password that the client sent */
+    if (password == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692)
+                      "auth_ldap authenticate: no password specified");
+        return AUTH_GENERAL_ERROR;
+    }
+
+    if (user == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693)
+                      "auth_ldap authenticate: no user specified");
+        return AUTH_GENERAL_ERROR;
+    }
+
+    /*
+     * A bind to the server with an empty password always succeeds, so
+     * we check to ensure that the password is not empty. This implies
+     * that users who actually do have empty passwords will never be
+     * able to authenticate with this module. I don't see this as a big
+     * problem.
+     */
+    if (!(*password)) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
+                      "auth_ldap authenticate: empty password specified");
+        return AUTH_DENIED;
+    }
+
     /* There is a good AuthLDAPURL, right? */
     if (sec->host) {
         const char *binddn = sec->binddn;
@@ -562,21 +588,6 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user,
     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691)
                   "auth_ldap authenticate: using URL %s", sec->url);
 
-    /* Get the password that the client sent */
-    if (password == NULL) {
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692)
-                      "auth_ldap authenticate: no password specified");
-        release_ldc(r, ldc);
-        return AUTH_GENERAL_ERROR;
-    }
-
-    if (user == NULL) {
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693)
-                      "auth_ldap authenticate: no user specified");
-        release_ldc(r, ldc);
-        return AUTH_GENERAL_ERROR;
-    }
-
     /* build the username filter */
     if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, user, NULL, sec)) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02622)