continuum-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brent Atkinson" <>
Subject Re: Unusual behavior on continuum/redback
Date Wed, 08 Dec 2010 23:08:08 GMT

As a follow up, someone has already logged this issue in JIRA as REDBACK-248. I just submitted
a patch that addresses allows you to configure (defaults should work for your case) whether
to allow empty passwords.


>>> "Brent Atkinson"  12/08/10 5:31 PM >>>

I suspect things are working exactly as intended. However, let me ask a question and provide
an explanation of what I think is occurring.

Does authentication fail/succeed correctly when a non-blank password is supplied? If so, I
don't think this problem is with continuum (actually redback - the utilized security framework).
I think you have the two LDAP servers configured differently. I suspect that you have the
OID instance configured to allow password-less binds. The reason the OpenLDAP works as intended
is that it is not allowing password-less binds.

To test this out, you can use a tool like the Apache Directory Studio plugin in Eclipse. Setup
a connection that doesn't supply a password and try to connect. If you can enter a blank password
and it connects and you can still see a directory tree, then you found the problem. You are
using the redback bind authenticator with an LDAP tree that allows people to bind with a blank
password. I trust you can see the flaw in that approach.

To verify that the behavior is possible, I stepped through an authentication attempt against
a server that has password-less bind enabled. Where things go awry is when redback delegates
to the ldap connection factory to connect as a user. The username and password (which is blank)
are passed along just as they should be. The key event is that the connection actually succeeds.
The bind authenticator expects a connect failure to indicate a bad authentication attempt.

To handle such ldap configurations to use bind authentication, redback could provide an option
to unilaterally treat blank passwords as authentication failures. This could live in the bind
authenticator itself or be just a normal security option.

Hope that helps,


>>> Louis Smith  12/07/10 12:00 PM >>>
I have verified that this behavior occurs when connecting a working
geronimo/continuum to an Oracle OID LDAP.

Connecting to an instance of OpenLDAP works correctly.

Is anyone out there using Oracle LDAP with Continuum/redback and/or



On Tue, Dec 7, 2010 at 8:08 AM, Louis Smith wrote:

> Sorry, wasn't awake yet.
> Client environment reporting issue:
> Continuum 1.3.6 under Geronimo 2.2 on redhat
> Oracle OID for LDAP,
> My local install (win/geronimo/continuum 1.4.1-SNAPSHOT) against OpenLDAP
> does NOT show this behavior.  Can't use anything other than a GA release at
> the client site as it is their production development environment.
> I am going to do a test after hours this evening to use my OpenLDAP with
> the client's 1.3.6 install and see if it is localized to their Oracle OID
> configuration.
> On Tue, Dec 7, 2010 at 7:47 AM, Wendy Smoak  wrote:
>> On Tue, Dec 7, 2010 at 5:33 AM, Louis Smith 
>> wrote:
>> > However, if you enter a valid ID, and leave the password field blank -
>> you
>> > are logged on as that user with all their rights and access.
>> What version of Continuum (and Redback) are you using?  My 1.3.6-based
>> instances don't behave this way.
>> The configuration is in conf/  Perhaps some
>> combination of the configurable options has allowed this.
>> --
>> Wendy
> --
> Dr. Louis Smith, ThD
> Chief Technology Officer, Kyra InfoTech
> Colonel, Commemorative Air Force

Dr. Louis Smith, ThD
Chief Technology Officer, Kyra InfoTech
Colonel, Commemorative Air Force

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message