# HG changeset patch
# User Shawn K. O'Shea <shawn@eth0.net>
# Date 2011-11-07 21:06:24
# Node ID 40db9e0867736e3c93390f277d912cd0ee88c088
# Parent  3387b53044bfe36c246815daadb4986e2117fc28

Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.

diff --git a/rhodecode/lib/auth_ldap.py b/rhodecode/lib/auth_ldap.py
--- a/rhodecode/lib/auth_ldap.py
+++ b/rhodecode/lib/auth_ldap.py
@@ -87,6 +87,9 @@ class AuthLdap(object):
 
         uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)
 
+        if not password:
+            log.debug("Attempt to authenticate LDAP user with blank password rejected.")
+            raise LdapPasswordError()
         if "," in username:
             raise LdapUsernameError("invalid character in username: ,")
         try: