Louis, As a follow up, someone has already logged this issue in JIRA as REDBACK-248. I just submitted a patch that addresses allows you to configure (defaults should work for your case) whether to allow empty passwords.
Brent >>> "Brent Atkinson" 12/08/10 5:31 PM >>> Louis, I suspect things are working exactly as intended. However, let me ask a question and provide an explanation of what I think is occurring. Does authentication fail/succeed correctly when a non-blank password is supplied? If so, I don't think this problem is with continuum (actually redback - the utilized security framework). I think you have the two LDAP servers configured differently. I suspect that you have the OID instance configured to allow password-less binds. The reason the OpenLDAP works as intended is that it is not allowing password-less binds. To test this out, you can use a tool like the Apache Directory Studio plugin in Eclipse. Setup a connection that doesn't supply a password and try to connect. If you can enter a blank password and it connects and you can still see a directory tree, then you found the problem. You are using the redback bind authenticator with an LDAP tree that allows people to bind with a blank password. I trust you can see the flaw in that approach. To verify that the behavior is possible, I stepped through an authentication attempt against a server that has password-less bind enabled. Where things go awry is when redback delegates to the ldap connection factory to connect as a user. The username and password (which is blank) are passed along just as they should be. The key event is that the connection actually succeeds. The bind authenticator expects a connect failure to indicate a bad authentication attempt. To handle such ldap configurations to use bind authentication, redback could provide an option to unilaterally treat blank passwords as authentication failures. This could live in the bind authenticator itself or be just a normal security option. Hope that helps, Brent >>> Louis Smith 12/07/10 12:00 PM >>> I have verified that this behavior occurs when connecting a working geronimo/continuum to an Oracle OID LDAP. Connecting to an instance of OpenLDAP works correctly. Is anyone out there using Oracle LDAP with Continuum/redback and/or Archiva/redback???? Thanks, Louis On Tue, Dec 7, 2010 at 8:08 AM, Louis Smith wrote: > Sorry, wasn't awake yet. > > > Client environment reporting issue: > > Continuum 1.3.6 under Geronimo 2.2 on redhat > > Oracle OID 11.1.1.3 for LDAP, > > My local install (win/geronimo/continuum 1.4.1-SNAPSHOT) against OpenLDAP > does NOT show this behavior. Can't use anything other than a GA release at > the client site as it is their production development environment. > > I am going to do a test after hours this evening to use my OpenLDAP with > the client's 1.3.6 install and see if it is localized to their Oracle OID > configuration. > > > > On Tue, Dec 7, 2010 at 7:47 AM, Wendy Smoak wrote: > >> On Tue, Dec 7, 2010 at 5:33 AM, Louis Smith >> wrote: >> >> > However, if you enter a valid ID, and leave the password field blank - >> you >> > are logged on as that user with all their rights and access. >> >> What version of Continuum (and Redback) are you using? My 1.3.6-based >> instances don't behave this way. >> >> The configuration is in conf/security.properties. Perhaps some >> combination of the configurable options has allowed this. >> >> -- >> Wendy >> > > > > -- > Dr. Louis Smith, ThD > Chief Technology Officer, Kyra InfoTech > Colonel, Commemorative Air Force > -- Dr. Louis Smith, ThD Chief Technology Officer, Kyra InfoTech Colonel, Commemorative Air Force
