013e2ea Ensure that a password exists after OTP validation

1 file Authored by npmccallum 9 years ago, Committed by pvoborni 9 years ago,
    Ensure that a password exists after OTP validation
    
    Before this patch users could log in using only the OTP value. This
    arose because ipapwd_authentication() successfully determined that
    an empty password was invalid, but 389 itself would see this as an
    anonymous bind. An anonymous bind would never even get this far in
    this code, so we simply deny requests with empty passwords.
    
    This patch resolves CVE-2014-7828.
    
    https://fedorahosted.org/freeipa/ticket/4690
    
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>