我有此代碼根據LDAP目錄對我的用戶進行身份驗證。當密碼不正確時,它會返回false,但如果密碼保留爲空,則它會對用戶進行身份驗證。任何想法爲什麼會發生?LDAP綁定似乎返回空白密碼爲真
if (@ldap_bind($ds, $user_dn, $password) || sha1($password) == '484h84h4hf4Ffwj49393393j93j')
{
$valid = true;
}
else $valid = false;
如果你提供一個空密碼,那麼它表明你正在執行一個匿名簡單綁定目錄服務器。這一行爲在RFC 2251中描述第4.2.2節:
If no authentication is to be performed, then the simple
authentication option MUST be chosen, and the password be of zero
length. (This is often done by LDAPv2 clients.) Typically the DN is
also of zero length.
這可能是LDAP客戶一個很常見的安全漏洞,因爲如果他們不驗證用戶提供一個非空密碼,但嘗試使用綁定一個非空DN和一個空密碼,那麼當服務器沒有按照提供的DN指定的用戶綁定,而是匿名綁定時,他們可以看到它成功。由於這是LDAP客戶端中的一個常見安全問題,因此某些服務器拒絕具有非空DN但具有空密碼的綁定請求,並且此行爲受最新LDAPv3規範的鼓勵,如RFC 4513第5.1.2節中所述:
An LDAP client may use the unauthenticated authentication mechanism
of the simple Bind method to establish an anonymous authorization
state by sending a Bind request with a name value (a distinguished
name in LDAP string form [RFC4514] of non-zero length) and specifying
the simple authentication choice containing a password value of zero
length.
The distinguished name value provided by the client is intended to be
used for trace (e.g., logging) purposes only. The value is not to be
authenticated or otherwise validated (including verification that the
DN refers to an existing directory object). The value is not to be
used (directly or indirectly) for authorization purposes.
Unauthenticated Bind operations can have significant security issues
(see Section 6.3.1). In particular, users intending to perform
Name/Password Authentication may inadvertently provide an empty
password and thus cause poorly implemented clients to request
Unauthenticated access. Clients SHOULD be implemented to require
user selection of the Unauthenticated Authentication Mechanism by
means other than user input of an empty password. Clients SHOULD
disallow an empty password input to a Name/Password Authentication
user interface. Additionally, Servers SHOULD by default fail
Unauthenticated Bind requests with a resultCode of
unwillingToPerform.
聽起來像你的服務器不這樣做。如果它可以選擇這樣做,那麼我強烈建議將其打開。但無論如何,使用簡單綁定操作來驗證用戶憑證的設計良好的LDAP客戶端應該絕對驗證用戶在嘗試使用它綁定到服務器之前提供了非空字符串。