How does CA Directory interpret a credentialed bind that supplies no password?

Products

CA Directory CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description

CA Directory interprets a set of bind credentials (username + password) differently to a bind request that has just a distinguished name (DN) and no password.

Solution

In order for a credentialed bind to be processed correctly by CA Directory, it must contain both a distinguished name and a password. If a bind request is found to only have the distinguished name specified, then it is translated into an anonymous bind. The two directory trace snippets below illustrate a correct bind using distinguished name and password. The second illustrates a bind using only a distinguished name.

Bind with password defined.

  > [4936] <-- LDAP MESSAGE messageID 1 
  > [4936] BindRequest 
  > [4936]  version: 3 
  > [4936]  name: cn= Joe Bloggs,ou=TestDept,dc=forwardinc,dc=com 
  > [4936]  authentication: 
  > [4936]   simple: (masked) 
  > [4936] 
  ! [4936] UserCreateAssoc: 012B5714 0 (total=0) 
  ! [4936] 
  > [4936] 
  > [4936] <- #0 LDAP BIND-REQ 
  > [4936]          invoke-id = 1   credit = 4 
  > [4936]     User: 
  > [4936]         <cosineDomainComponent "com"> 
  > [4936]         <cosineDomainComponent "forwardinc"> 
  > [4936]         <organizationalUnitName "TestDept"> 
  > [4936]         <commonName "Joe Bloggs"> 
  > [4936]     Password: (masked) 
  > [4936]     Remote address: 
  > [4936]         nsap = aaa.bbb.ccc.ddd:1744 
  > [4936] 
  ! [4936] doLocalResponse 
  ! [4936] UserBindEvent 
  ! [4936] bindEventPasswordCompare 
  ! [4936] UserBindAccept: association=0 
  ! [4936] UserPwdSetModOnly 
  ! [4936] ----------userSendIdu (000/001)----------20081216.134328.052 
  ! [4936] 
  > [4936] 
  > [4936] -> #0 LDAP BIND-CONFIRM 
  > [4936]          invoke-id = 1   credit = -5 
  > [4936]     User: 
  > [4936]         <cosineDomainComponent "com"> 
  > [4936]         <cosineDomainComponent "forwardinc"> 
  > [4936]         <commonName "Joe-ForwardInc"> 
  > [4936] 
  > [4936] 
  > [4936] --> LDAP MESSAGE messageID 1 
  > [4936] BindResponse 
  > [4936]  resultCode: success 
  > [4936]  matchedDN: 
  > [4936]  errorMessage:

Bind with no password defined

  > <-- LDAP MESSAGE messageID 1 
  > BindRequest 
  >  version: 3 
  >  name: eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=IDM,dc=etadb 
  >  authentication: 
  >   simple: (masked) 
  > 
  ! UserCreateAssoc: d02fec 0 (total=0) 
  > 
  > <- #0 LDAP BIND-REQ 
  >          invoke-id = 1   credit = 4 
  >     User: 
  >         <cosineDomainComponent "etadb"> 
  >         <cosineDomainComponent "IDM"> 
  >         <eTNamespaceName "CommonObjects"> 
  >         <eTDSAContainerName "DSAs"> 
  >     Remote address: 
  >         nsap = "0x011010000FABCD0000000000000" 
  > 
  ! ----------UserRequest (000/001)----------20090113.171337.159 
  ! userRequest 
  ! UserBindRequest 
  ! Bind: Treating simple credentials as anonymous bind 
  ? 20090113.171337.159 WARN : Bind: Credentials not supplied 
  ! ----------userSendIdu (000/001)----------20090113.171337.159 
  ! 
  > 
  > -> #0 LDAP BIND-REFUSE 
  >          invoke-id = 1   credit = -1024 
  >     Bind Error:    Security Error:  Inappropriate authentication 
  > 
  > --> LDAP MESSAGE messageID 1 
  > BindResponse 
  >  resultCode: inappropriateAuthentication 
  >  matchedDN: 
  >  errorMessage:

You will see in the above trace log snippet that the directory is treating the incomplete set of bind credentials as an anonymous bind.

Should the minimum authentication level (min-auth) be set to "clear-password", then the bind will fail.

Please ensure that all credentialed binds supply both a distinguished name and password.

Environment

Release: ESPDIR99000-8.1-Extended Support Plus-for CA Directory
Component: