The problem lies in the fact that even if the ldap server allows an anonomous bind, what the LdapLoginModule is suppose to be doing is checking the username and password of the caller. The module is creating a Context.SECURITY_PRINCIPAL and SECURITY_CREDENTIALS to use in the context env mapping. At this point I would argue that it is not an anon bind, the principal and credentials are being set so it should act as if it is authenticating a user with the information. If the user does not enter a password then that should be considered their crendentials to verify.
My issue really lies in the way the IntialContext decides for you that if the password is empty it sets the auth type of the context to none. I have worked with Ldap auth modules in other settings such as Apache and the behavour is what I think should be expected that an empty password is used to authenticate the named user to the directory and fails if it is not the users password. And this is going against Ldap servers that allow anon connections. Anyway, again I really feel that if given a username and password it is no longer anonomous and should not be treated as such, whether the server allows anonomous connections or not. Scott M Stark wrote: > I don't see the problem. If your ldap server allows an anonymous bind and empty > password is a valid input. If it does not then authentication will fail. > > xxxxxxxxxxxxxxxxxxxxxxxx > Scott Stark > Chief Technology Officer > JBoss Group, LLC > xxxxxxxxxxxxxxxxxxxxxxxx > > ----- Original Message ----- > From: "Robert Dingwell" <[EMAIL PROTECTED]> > To: "jboss-development_list" <[EMAIL PROTECTED]>; ><[EMAIL PROTECTED]> > Sent: Tuesday, September 10, 2002 2:34 PM > Subject: [JBoss-dev] LdapLoginModule Bug: Problem with empty passwords > > > Using the LdapLoginModule, supplying an empty password for a user causes > > an anonymous bind to happen. This is documented in the JNDI > > documentation here > > http://java.sun.com/products/jndi/tutorial/ldap/faq/context.html. > > > > Read the section [ Why does the LDAP provider ignore my security > > environment properties if I do not set the Context.SECURITY_CREDENTIALS > > ("java.naming.security.credentials") property or set it to the empty > > string? ] . Supplying an empty string as the credentials causes the > > context to set the SECURITY_AUTHENTICATION property to "none" and then > > does an anon bind. > > > > If your Ldap server is set to except anon connections this is a problem > > for the LdapLoginModule. Supplying the empty password does not cause an > > exception to be thrown and the uid and the roles for that uid are passed > > back. > > > > Here is the patch for this as well. The only thing that needed to be > > changed in the method was to check to make sure the password is not an > > empty string as well as null. > > > > protected boolean validatePassword(String inputPassword, String > > expectedPassword) > > { > > boolean isValid = false; > > if( inputPassword != null && !inputPassword.equals("")) > > { > > try > > { > > // Validate the password by trying to create an initial > > context > > String username = getUsername(); > > createLdapInitContext(username, inputPassword); > > isValid = true; > > } > > catch(NamingException e) > > { > > super.log.error("Failed to validate password", e); > > } > > } > > return isValid; > > } > > > > > > > > Rob Dingwell > > > > > > ------------------------------------------------------- > In remembrance > www.osdn.com/911/ > _______________________________________________ > Jboss-development mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-development
begin:vcard n:Dingwell;Robert tel;work:781-271-2829 x-mozilla-html:FALSE org:Mitre Corp. adr:;;;;;; version:2.1 email;internet:[EMAIL PROTECTED] fn:Robert Dingwell end:vcard
