1. Peter Sagerson
  2. django-auth-ldap
  3. Issues


Issue #33 resolved


Anonymous created an issue

django-auth-ldap makes the assumption that bind will fail with an empty password; this isn't true of all LDAP server configurations. An option could be added to reject empty passwords outright. It would probably be safer, but technically backwards-incompatible.

Comments (2)

  1. Peter Sagerson repo owner

    Fix #33: Reject empty passwords by default.

    Unless AUTH_LDAP_PERMIT_EMPTY_PASSWORD is set to True, LDAPBackend.authenticate() will immediately return None if the password is empty. This is technically backwards-incompatible, but it's a more secure default for those LDAP servers that are configured such that binds without passwords always succeed.

    → <<cset f7967833adfb>>

  2. Log in to comment