Re: [JBoss-user] LdapLoginModule null password

Fri, 24 May 2002 09:31:38 -0700 

Because you are supplying the credentials to use in the configuration.
Neither
> java.naming.security.principal="cn=admin,dc=mybpc,dc=net"
> java.naming.security.credentials="xxxxxx"

should be in the configuration. These are generated based on the caller
principal and credentials, but if you sepecify them and then do not provide
this info you have defined a default login for everyone. Where in the docs
does it say to include these?

xxxxxxxxxxxxxxxxxxxxxxxx
Scott Stark
Chief Technology Officer
JBoss Group, LLC
xxxxxxxxxxxxxxxxxxxxxxxx
----- Original Message -----
From: "Sonnek, Ryan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, May 24, 2002 9:02 AM
Subject: [JBoss-user] LdapLoginModule null password


> why can a user log in with a null password?
>
> the LdapLoginModule works great, except for it's allowing people to login
> with null passwords.  here's how the setup's working now:
>
> if username is invalid, user is rejected.
> if username exists, but password is invalid, user is rejected.
> if username exists, and password is valid, user is logged in.
> if username exists, and no password is input, user is logged in.
>
> WHAT???
> docs say that the SimpleLoginModule allows this, but not the
> LdapLoginModule.  What's going on here?  how can i prevent this behavior?
>
> -------------
> auth.conf
> -------------
> ldap {
>   org.jboss.security.plugins.samples.LdapLoginModule required
>   java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
> java.naming.provider.url="ldap://172.16.1.26:389/";
> java.naming.security.authentication="simple"
> java.naming.security.principal="cn=admin,dc=mybpc,dc=net"
> java.naming.security.credentials="xxxxxx"
> principalDNPrefix="cn="
> principalDNSuffix=",ou=users,dc=mybpc,dc=net"
> rolesCtxDN="ou=roles,dc=mybpc,dc=net"
> roleAttributeID="cn"
> uidAttributeID="uniqueMember"
> matchOnUserDN=true
>  ;
> };
>
>
> Ryan J. Sonnek
> Brown Printing Company
> IT Programmer/Analyst
> (507) 835-0803
> <mailto:[EMAIL PROTECTED]>
>
>
> _______________________________________________________________
>
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
>
> _______________________________________________
> JBoss-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/jboss-user
>


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to