directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DIRSERVER-1325) Simple Authentication can not be disabled
Date Sat, 19 Jun 2010 08:09:24 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-1325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12880453#action_12880453
] 

Emmanuel Lecharny commented on DIRSERVER-1325:
----------------------------------------------

There are 2 different methods for authentication : Simple and SASL. It's combined with some
mechanisms and some secure layer (SSL and TLS). RFC 4513 specifies the way all those elements
are combined.

Simple authentication method :
- first, the simple anonymous authentication MUST be supported (RFC 4513, par. 2)
- second, the simple name/password authentication MUST be supported (RFC 4513, par. 2) but
SHOULD be disabled by default if either LDAPS or TLS is not used. This is not currently the
case, and has to be fixed

SASL authentication method :
- PLAIN and ANONYMOUS SASL mechanisms are disabled, as they are already provided through the
Simple method ( at least, they should be disabled)
- the EXTERNAL mechanism can be used to establish an authentication using a lower security
layer (TLS) (RFC 4513, par 5.1.3)

All this has to be reviewed and documented.

> Simple Authentication can not be disabled
> -----------------------------------------
>
>                 Key: DIRSERVER-1325
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1325
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 1.5.4
>            Reporter: Andreas Kyrmegalos
>            Priority: Minor
>             Fix For: 2.0.0-RC1
>
>
> Recently upgraded to the 1.5 branch (1.5.4). Nice new feature set. While fiddling with
the settings I noticed this option:
>  <simpleMechanismHandler mech-name="SIMPLE"/>
> under the saslMechanismHandlers header. So, I assumed that, based on the name, one is
to understand that (since SASL PLAIN and LDAP SIMPLE are a 1:1 match) the ldap simple/sasl
plain authentication can be deactivated. After commenting the above mentioned setting, SASL
PLAIN is no longer mentioned in "supportedSASLMechanisms" and if one attempts to use it, a
javax.naming.AuthenticationNotSupportedException is what one gets. Unfortunately, if one tries
to use SIMPLE as an authentication mechanism, the bind succeeds. This also holds true for
the 1.5.5 trunk (as of 3/9/2009). This can be fixed by adding a typical is/set pair for a
boolean value, just like the case for anonymous access, in org.apache.directory.server.core.DirectoryService.java,
making a check when authenticate() is called in org.apache.directory.server.core.SimpleAuthenticator
and adding the relevant setting to defaultDirectoryService in server.xml. Did this myself,
seems to work as intended.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message