[jira] [Created] (KARAF-2528) don't allow authentication = none if LDAP user or password is provided

Thu, 24 Oct 2013 12:11:27 -0700 

Jonathan Anstey created KARAF-2528:
--------------------------------------

             Summary: don't allow authentication = none if LDAP user or 
password is provided
                 Key: KARAF-2528
                 URL: https://issues.apache.org/jira/browse/KARAF-2528
             Project: Karaf
          Issue Type: Bug
    Affects Versions: 2.3.3
            Reporter: Jonathan Anstey


Right now if you add authentication = none to the LDAP config, you can log in 
as any user. It seems wrong that you can just specify any username and it will 
log you into karaf as that user. I think authentication = none makes more sense 
to an LDAP server because it has then concept of an anonymous user that can do 
only searches say. Something that Karaf does not.

It isn't really a big deal but I wonder if it is a useful feature. It could 
lead to a dangerous practice. I'm proposing something like:

{code}                        
diff --git 
a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
 
b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
index a9b0fbf..c6c1755 100644
--- 
a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
+++ 
b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
@@ -153,6 +153,16 @@ public class LDAPLoginModule extends 
AbstractKarafLoginModule {
         user = ((NameCallback) callbacks[0]).getName();
 
         char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
+        
+        // If either a username or password is specified don't allow 
authentication = "none".
+        // This is to prevent someone from logging into Karaf as any user 
without providing a 
+        // valid password (because if authentication = none, the password 
could be any 
+        // value - it is ignored).
+        if ("none".equals(authentication) && (user != null || tmpPassword != 
null)) {
+            // default to simple so that the provided user/password will get 
checked
+            authentication = "simple";
+        }
+        
         if (tmpPassword == null) {
             tmpPassword = new char[0];
         }
        
{code}

I'll commit the changes once I get my karma set up and if there are no 
objections :-)



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to