AnsweredAssumed Answered

LDAP server with anonymous login

Question asked by rludvig on Apr 7, 2006
Latest reply on Apr 10, 2006 by andy
I have noticed that the LDAP authentication included in the Enterprise Edition has a security issue with LDAP servers that fallback to anonymous binding in case of invalid credentials. More specifically, if a LDAP server behaves as mentioned, any credentials will give access to the web-client, webdav, ftp, etc. but Alfresco will not treat the user as guest, but will think it's the user specified with the username. So entering admin and whatever password will give admin rights, even if this is not correct behaviour.

This issue, while not a bug, should be well documented. Additionally, are there any plans to support a better LDAP integration, that also takes into account this situation (probably by giving up the JNDI usage in favor of a better LDAP API) ??