I think most LDAP servers will treat a blank password as an anonymous bind unless configured not to. Without getting into code changes or ldap configuration, I think you can address this by using "bind-search-compare" or "bind-search-bind" instead of "bind" in your jaas config, but that will also require you to have a service ldap account for fcrepo that can retrieve passwords to compare.
If you're willing to install a custom module, it wouldn't be hard to put one together that rejects blank passwords, or that identifies an anonymously bound user as "anonymous". I don't use that module, so I don't know what folks' expectations are around it. - Ben On Wed, Oct 10, 2012 at 3:27 PM, David Lacy <david.l...@villanova.edu> wrote: > Yes > > David Lacy > Falvey Library Technology Services > Villanova University > library.villanova.edu > 610-519-7361 > > >> -----Original Message----- >> From: Benjamin Armintor [mailto:armin...@gmail.com] >> Sent: Wednesday, October 10, 2012 3:15 PM >> To: Support and info exchange list for Fedora users. >> Subject: Re: [fcrepo-user] FESL and LDAP problem >> >> David: >> Does your ldap server allow anonymous binds? >> >> - Ben >> >> On Wed, Oct 10, 2012 at 1:30 PM, David Lacy <david.l...@villanova.edu> wrote: >> > Hello, >> > >> > >> > >> > I have configured my jaas.conf to use LDAP for authentication. On the >> > surface everything appears to work fine, incorrect username/password >> > combinations result in 401 responses, valid credentials provide access. >> > BUT, >> > a valid username with a blank password also provides access, which is bad. >> > >> > >> > >> > I'm testing 3.6.1. For sanity's sake I tested this on a fresh install of >> > 3.5 >> > with authN and authZ enabled, and reached the same result. >> > >> > >> > >> > I'm using the standard xacml-2.0 policies plus one basic one granting api-a >> > to a specific IP range. It is included below. >> > >> > >> > >> > Here's my jaas.conf >> > >> > >> > >> > fedora-auth >> > >> > { >> > >> > org.fcrepo.server.security.jaas.auth.module.LdapModule sufficient >> > >> > host.url="ldap://XXX.XXX.XXX:XXX/"; >> > >> > auth.type="simple" >> > >> > bind.mode="bind" >> > >> > bind.filter="uid={0},ou=People,o=XXX.XXX" >> > >> > attrs.fetch="ou,falvey" >> > >> > debug=true; >> > >> > >> > >> > org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModule sufficient >> > >> > debug=true; >> > >> > }; >> > >> > >> > >> > My API-A Policy: >> > >> > >> > >> > <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >> > >> > >> > xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" >> > >> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> > >> > >> > xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os >> > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema- >> os.xsd >> > urn:oasis:names:tc:xacml:2.0:context:schema:os >> > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema- >> os.xsd" >> > >> > PolicyId="permit-apia-to-localhost" >> > >> > >> > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining- >> algorithm:first-applicable" >> > >> > > >> > >> > <Description>A Policy that grants read access to >> > localhost</Description> >> > >> > <Target> >> > >> > >> > >> > <Actions> >> > >> > >> > >> > <!-- Generic Read --> >> > >> > <Action> >> > >> > <ActionMatch >> > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> > >> > <AttributeValue >> > DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> >> > >> > <ActionAttributeDesignator >> > AttributeId="urn:fedora:names:fedora:2.1:action:id" >> > >> DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignat >> or> >> > >> > </ActionMatch> >> > >> > </Action> >> > >> > >> > >> > </Actions> >> > >> > </Target> >> > >> > >> > >> > <Rule Effect="Permit" >> > RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit"> >> > >> > <Condition> >> > >> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> >> > >> > <!-- Permit this 'Bag' --> >> > >> > <Apply >> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member- >> of"> >> > >> > <EnvironmentAttributeDesignator >> > >> AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress >> " >> > DataType="http://www.w3.org/2001/XMLSchema#string"/> >> > >> > <Apply >> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> >> > >> > <AttributeValue >> > >> DataType="http://www.w3.org/2001/XMLSchema#string";>127.0.0.1</AttributeValue >> > >> > >> > <AttributeValue >> > DataType="http://www.w3.org/2001/XMLSchema#string";>::1</AttributeValue> >> > >> > <AttributeValue >> > >> DataType="http://www.w3.org/2001/XMLSchema#string";>0:0:0:0:0:0:0:1</Attribute >> Value> >> > >> > </Apply> >> > >> > </Apply> >> > >> > <!-- OR Permit this subnet string --> >> > >> > <Apply >> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"> >> > >> > <AttributeValue >> > >> DataType="http://www.w3.org/2001/XMLSchema#string";>XXX\.XXX\.\d{1,3}\.\d{1,3 >> }</AttributeValue> >> > <!-- Villanova Subnet --> >> > >> > <Apply >> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> >> > >> > <EnvironmentAttributeDesignator >> > >> AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress >> " >> > DataType="http://www.w3.org/2001/XMLSchema#string"/> >> > >> > </Apply> >> > >> > </Apply> >> > >> > >> > >> > </Apply> >> > >> > </Condition> >> > >> > </Rule> >> > >> > </Policy> >> > >> > >> > >> > >> > >> > Thanks for your time. >> > >> > >> > >> > David Lacy >> > >> > Falvey Library Technology Services >> > >> > Villanova University >> > >> > library.villanova.edu >> > >> > >> > >> > >> > ------------------------------------------------------------------------------ >> > Don't let slow site performance ruin your business. Deploy New Relic APM >> > Deploy New Relic app performance management and know exactly >> > what is happening inside your Ruby, Python, PHP, Java, and .NET app >> > Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> > http://p.sf.net/sfu/newrelic-dev2dev >> > _______________________________________________ >> > Fedora-commons-users mailing list >> > Fedora-commons-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> > >> >> ------------------------------------------------------------------------------ >> Don't let slow site performance ruin your business. Deploy New Relic APM >> Deploy New Relic app performance management and know exactly >> what is happening inside your Ruby, Python, PHP, Java, and .NET app >> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> http://p.sf.net/sfu/newrelic-dev2dev >> _______________________________________________ >> Fedora-commons-users mailing list >> Fedora-commons-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
