A bug in the LDAP Resolver can lead to unauthorized access as an LDAP user.
Under certain conditions a rogue user can login as an LDAP user to the privacyIDEA web UI or guess a static password part during authentication when the policy scope=authentication, otppin=userstore is used.
This problem only occurs, when both conditions are met:
- The LDAP resolver defines a wrong, not existing UID-Type.
- The LDAP server is configured to allow anonymous binds.
During the password verification process, the LDAP resolver tries to find the user with the given UID – defined by the UID type. It then uses the user objects DN to bind to the LDAP server.
If the UID type does not exist, the LDAP resolver will get an empty DN to bind to the LDAP server. Binding with an empty DN is equal to an anonymous bind. If your LDAP server accepts anonymous binds, the bind will be successfull and the password verification is regarded as successful.
If you have an LDAP server, that allows anonymous binds, you should check your LDAP resolver. Please check, that the UID Type you specified, really exist.
Verify authenticating to the Web UI with an existing LDAP user, but with an invalid password.
This bug is fixed in this commit and will be release with version 2.6 shortly.