I don't think the client wants to hear that their Oracle LDAP isn't secure ...and I don't think they know how to configure it to behave the same as OpenLDAP ... so they will love hearing that you have a patch to redback that will "fix the issue" with Archiva and Continuum. Thank you all!!!
So when can I get the patch, so I can rebuild redback, then build both archiva and continuum... and try re-deploying everything? On Wed, Dec 8, 2010 at 6:08 PM, Brent Atkinson <[email protected]>wrote: > Louis, > > As a follow up, someone has already logged this issue in JIRA as > REDBACK-248. I just submitted a patch that addresses allows you to configure > (defaults should work for your case) whether to allow empty passwords. > > Brent > > >>> "Brent Atkinson" 12/08/10 5:31 PM >>> > Louis, > > I suspect things are working exactly as intended. However, let me ask a > question and provide an explanation of what I think is occurring. > > Does authentication fail/succeed correctly when a non-blank password is > supplied? If so, I don't think this problem is with continuum (actually > redback - the utilized security framework). I think you have the two LDAP > servers configured differently. I suspect that you have the OID instance > configured to allow password-less binds. The reason the OpenLDAP works as > intended is that it is not allowing password-less binds. > > To test this out, you can use a tool like the Apache Directory Studio > plugin in Eclipse. Setup a connection that doesn't supply a password and try > to connect. If you can enter a blank password and it connects and you can > still see a directory tree, then you found the problem. You are using the > redback bind authenticator with an LDAP tree that allows people to bind with > a blank password. I trust you can see the flaw in that approach. > > To verify that the behavior is possible, I stepped through an > authentication attempt against a server that has password-less bind enabled. > Where things go awry is when redback delegates to the ldap connection > factory to connect as a user. The username and password (which is blank) are > passed along just as they should be. The key event is that the connection > actually succeeds. The bind authenticator expects a connect failure to > indicate a bad authentication attempt. > > To handle such ldap configurations to use bind authentication, redback > could provide an option to unilaterally treat blank passwords as > authentication failures. This could live in the bind authenticator itself or > be just a normal security option. > > Hope that helps, > > Brent > > >>> Louis Smith 12/07/10 12:00 PM >>> > I have verified that this behavior occurs when connecting a working > geronimo/continuum to an Oracle OID LDAP. > > Connecting to an instance of OpenLDAP works correctly. > > Is anyone out there using Oracle LDAP with Continuum/redback and/or > Archiva/redback???? > > Thanks, > > Louis > > On Tue, Dec 7, 2010 at 8:08 AM, Louis Smith wrote: > > > Sorry, wasn't awake yet. > > > > > > Client environment reporting issue: > > > > Continuum 1.3.6 under Geronimo 2.2 on redhat > > > > Oracle OID 11.1.1.3 for LDAP, > > > > My local install (win/geronimo/continuum 1.4.1-SNAPSHOT) against OpenLDAP > > does NOT show this behavior. Can't use anything other than a GA release > at > > the client site as it is their production development environment. > > > > I am going to do a test after hours this evening to use my OpenLDAP with > > the client's 1.3.6 install and see if it is localized to their Oracle OID > > configuration. > > > > > > > > On Tue, Dec 7, 2010 at 7:47 AM, Wendy Smoak wrote: > > > >> On Tue, Dec 7, 2010 at 5:33 AM, Louis Smith > >> wrote: > >> > >> > However, if you enter a valid ID, and leave the password field blank - > >> you > >> > are logged on as that user with all their rights and access. > >> > >> What version of Continuum (and Redback) are you using? My 1.3.6-based > >> instances don't behave this way. > >> > >> The configuration is in conf/security.properties. Perhaps some > >> combination of the configurable options has allowed this. > >> > >> -- > >> Wendy > >> > > > > > > > > -- > > Dr. Louis Smith, ThD > > Chief Technology Officer, Kyra InfoTech > > Colonel, Commemorative Air Force > > > > > > -- > Dr. Louis Smith, ThD > Chief Technology Officer, Kyra InfoTech > Colonel, Commemorative Air Force > > > -- Dr. Louis Smith, ThD Chief Technology Officer, Kyra InfoTech Colonel, Commemorative Air Force
