[ https://issues.apache.org/jira/browse/ARTEMIS-2010?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Bertram resolved ARTEMIS-2010. ------------------------------------- Resolution: Fixed Fix Version/s: 2.6.3 2.7.0 > LDAPLoginModule should actively detect unauthenticated Bind requests > -------------------------------------------------------------------- > > Key: ARTEMIS-2010 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2010 > Project: ActiveMQ Artemis > Issue Type: Bug > Reporter: Justin Bertram > Assignee: Justin Bertram > Priority: Major > Fix For: 2.7.0, 2.6.3 > > > The [LDAP spec|https://tools.ietf.org/html/rfc4513#section-6.3.1] states: > bq. Operational experience shows that clients can (and frequently do) misuse > the unauthenticated authentication mechanism of the simple Bind method (see > Section 5.1.2). For example, a client program might make a decision to grant > access to non-directory information on the basis of successfully completing a > Bind operation. LDAP server implementations may return a success response to > an unauthenticated Bind request. This may erroneously leave the client with > the impression that the server has successfully authenticated the identity > represented by the distinguished name when in reality, an anonymous > authorization state has been established. Clients that use the results from > a simple Bind operation to make authorization decisions should actively > detect unauthenticated Bind requests (by verifying that the supplied password > is not empty) and react appropriately. > Artemis falls into the this last category of "Clients that use the results > from a simple Bind operation to make authorization decisions." Therefore the > {{LDAPLoginModule}} should reject authentication attempts using empty or null > passwords. -- This message was sent by Atlassian JIRA (v7.6.3#76005)