[jira] [Resolved] (KARAF-2528) don't allow authentication = none if LDAP user or password is provided

Mon, 28 Oct 2013 10:44:11 -0700 

     [ 
https://issues.apache.org/jira/browse/KARAF-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jonathan Anstey resolved KARAF-2528.
------------------------------------

       Resolution: Fixed
    Fix Version/s: 2.3.4
                   3.0.0
                   2.4.0

> don't allow authentication = none if LDAP user or password is provided
> ----------------------------------------------------------------------
>
>                 Key: KARAF-2528
>                 URL: https://issues.apache.org/jira/browse/KARAF-2528
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 2.3.3
>            Reporter: Jonathan Anstey
>             Fix For: 2.4.0, 3.0.0, 2.3.4
>
>
> Right now if you add authentication = none to the LDAP config, you can log in 
> as any user. It seems wrong that you can just specify any username and it 
> will log you into karaf as that user. I think authentication = none makes 
> more sense to an LDAP server because it has then concept of an anonymous user 
> that can do only searches say. Something that Karaf does not.
> It isn't really a big deal but I wonder if it is a useful feature. It could 
> lead to a dangerous practice. I'm proposing something like:
> {code}                        
> diff --git 
> a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
>  
> b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
> index a9b0fbf..c6c1755 100644
> --- 
> a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
> +++ 
> b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
> @@ -153,6 +153,16 @@ public class LDAPLoginModule extends 
> AbstractKarafLoginModule {
>          user = ((NameCallback) callbacks[0]).getName();
>  
>          char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
> +        
> +        // If either a username or password is specified don't allow 
> authentication = "none".
> +        // This is to prevent someone from logging into Karaf as any user 
> without providing a 
> +        // valid password (because if authentication = none, the password 
> could be any 
> +        // value - it is ignored).
> +        if ("none".equals(authentication) && (user != null || tmpPassword != 
> null)) {
> +            // default to simple so that the provided user/password will get 
> checked
> +            authentication = "simple";
> +        }
> +        
>          if (tmpPassword == null) {
>              tmpPassword = new char[0];
>          }
>         
> {code}
> I'll commit the changes once I get my karma set up and if there are no 
> objections :-)



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to