Policy Server :: User Store : LDAP Searches and Blank Username

Document ID : KB000048393
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Protecting resource with Web Agent, when user give as username a blank value, then we see the LDAP search done on all users in the LDAP User Store

Solution:

The problem is that the LDAP server being too permissive, as the Policy Server does not try all the users, but a null value to the user id lead the LDAP filter to be applied on the server side to all available data on the LDAP server as the snippet shows:

[19862/39][Thu Oct 31 2013 07:48:53]
[SmDsLdapProvider.cpp:1668][ERROR]
CSmDsLdapProvider::Search(): Wrong syntax of LDAP
search filter:(&(uid=)(objectClass=Employee))

This is due to a lack in the configuration of the User Store as reported in some place on the internet:

In the event that a client transmits a BIND request with a null name and a non-null password, the server behavior is undefined by the standard, therefore, the server should be configured to reject this type of BIND request and set the result code in the BIND response to '53' (unwillingToPerform) since no authentication takes place. This type of BIND request might be transmitted by a client intending an anonymous BIND request but with leftover text in the password field.

http://www.ldapguru.info/ldap/authentication-best-practices.html