karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Anstey (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (KARAF-2528) don't allow authentication = none if LDAP user or password is provided
Date Mon, 28 Oct 2013 17:42:32 GMT

     [ https://issues.apache.org/jira/browse/KARAF-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jonathan Anstey resolved KARAF-2528.
------------------------------------

       Resolution: Fixed
    Fix Version/s: 2.3.4
                   3.0.0
                   2.4.0

> don't allow authentication = none if LDAP user or password is provided
> ----------------------------------------------------------------------
>
>                 Key: KARAF-2528
>                 URL: https://issues.apache.org/jira/browse/KARAF-2528
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 2.3.3
>            Reporter: Jonathan Anstey
>             Fix For: 2.4.0, 3.0.0, 2.3.4
>
>
> Right now if you add authentication = none to the LDAP config, you can log in as any
user. It seems wrong that you can just specify any username and it will log you into karaf
as that user. I think authentication = none makes more sense to an LDAP server because it
has then concept of an anonymous user that can do only searches say. Something that Karaf
does not.
> It isn't really a big deal but I wonder if it is a useful feature. It could lead to a
dangerous practice. I'm proposing something like:
> {code}                        
> diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
> index a9b0fbf..c6c1755 100644
> --- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
> +++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
> @@ -153,6 +153,16 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
>          user = ((NameCallback) callbacks[0]).getName();
>  
>          char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
> +        
> +        // If either a username or password is specified don't allow authentication
= "none".
> +        // This is to prevent someone from logging into Karaf as any user without providing
a 
> +        // valid password (because if authentication = none, the password could be any

> +        // value - it is ignored).
> +        if ("none".equals(authentication) && (user != null || tmpPassword !=
null)) {
> +            // default to simple so that the provided user/password will get checked
> +            authentication = "simple";
> +        }
> +        
>          if (tmpPassword == null) {
>              tmpPassword = new char[0];
>          }
>         
> {code}
> I'll commit the changes once I get my karma set up and if there are no objections :-)



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message