[JBoss-user] LdapLoginModule null password

Sonnek, Ryan Fri, 24 May 2002 08:47:05 -0700

why can a user log in with a null password?

the LdapLoginModule works great, except for it's allowing people to login
with null passwords.  here's how the setup's working now:


if username is invalid, user is rejected.
if username exists, but password is invalid, user is rejected.
if username exists, and password is valid, user is logged in.
if username exists, and no password is input, user is logged in.

WHAT???
docs say that the SimpleLoginModule allows this, but not the
LdapLoginModule.  What's going on here?  how can i prevent this behavior?

-------------
auth.conf
-------------
ldap {
  org.jboss.security.plugins.samples.LdapLoginModule required
        java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
        java.naming.provider.url="ldap://172.16.1.26:389/";
        java.naming.security.authentication="simple"
        java.naming.security.principal="cn=admin,dc=mybpc,dc=net"
        java.naming.security.credentials="xxxxxx"
        principalDNPrefix="cn="
        principalDNSuffix=",ou=users,dc=mybpc,dc=net"
        rolesCtxDN="ou=roles,dc=mybpc,dc=net"
        roleAttributeID="cn"
        uidAttributeID="uniqueMember"
        matchOnUserDN=true
 ;
};


Ryan J. Sonnek
Brown Printing Company
IT Programmer/Analyst
(507) 835-0803
<mailto:[EMAIL PROTECTED]>


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] LdapLoginModule null password

Reply via email to