[
https://issues.apache.org/jira/browse/ARTEMIS-2010?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Bertram updated ARTEMIS-2010:
------------------------------------
Description:
The [LDAP spec|https://tools.ietf.org/html/rfc4513#section-6.3.1] states:
bq. Operational experience shows that clients can (and frequently do) misuse
the unauthenticated authentication mechanism of the simple Bind method (see
Section 5.1.2). For example, a client program might make a decision to grant
access to non-directory information on the basis of successfully completing a
Bind operation. LDAP server implementations may return a success response to
an unauthenticated Bind request. This may erroneously leave the client with
the impression that the server has successfully authenticated the identity
represented by the distinguished name when in reality, an anonymous
authorization state has been established. Clients that use the results from a
simple Bind operation to make authorization decisions should actively detect
unauthenticated Bind requests (by verifying that the supplied password is not
empty) and react appropriately.
Artemis falls into the this last category of "Clients that use the results from
a simple Bind operation to make authorization decisions." Therefore the
{{LDAPLoginModule}} should reject authentication attempts using empty or null
passwords.
was:
The [LDAP spec|https://tools.ietf.org/html/rfc4513#section-6.3.1] states:
bq. Operational experience shows that clients can (and frequently do) misuse
the unauthenticated authentication mechanism of the simple Bind method (see
Section 5.1.2). For example, a client program might make a decision to grant
access to non-directory information on the basis of successfully completing a
Bind operation. LDAP server implementations may return a success response to
an unauthenticated Bind request. This may erroneously leave the client with
the impression that the server has successfully authenticated the identity
represented by the distinguished name when in reality, an anonymous
authorization state has been established. Clients that use the results from a
simple Bind operation to make authorization decisions should actively detect
unauthenticated Bind requests (by verifying that the supplied password is not
empty) and react appropriately.
Artemis falls into the this last category of "Clients that use the results from
a simple Bind operation to make authorization decisions." Therefore the
{{LDAPLoginModule}} to reject authentication attempts using empty or null
passwords.
> LDAPLoginModule should actively detect unauthenticated Bind requests
> --------------------------------------------------------------------
>
> Key: ARTEMIS-2010
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2010
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Reporter: Justin Bertram
> Assignee: Justin Bertram
> Priority: Major
>
> The [LDAP spec|https://tools.ietf.org/html/rfc4513#section-6.3.1] states:
> bq. Operational experience shows that clients can (and frequently do) misuse
> the unauthenticated authentication mechanism of the simple Bind method (see
> Section 5.1.2). For example, a client program might make a decision to grant
> access to non-directory information on the basis of successfully completing a
> Bind operation. LDAP server implementations may return a success response to
> an unauthenticated Bind request. This may erroneously leave the client with
> the impression that the server has successfully authenticated the identity
> represented by the distinguished name when in reality, an anonymous
> authorization state has been established. Clients that use the results from
> a simple Bind operation to make authorization decisions should actively
> detect unauthenticated Bind requests (by verifying that the supplied password
> is not empty) and react appropriately.
> Artemis falls into the this last category of "Clients that use the results
> from a simple Bind operation to make authorization decisions." Therefore the
> {{LDAPLoginModule}} should reject authentication attempts using empty or null
> passwords.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
