Skip to content
Permalink
Browse files

[FIXED JENKINS-13595] when attempting anonymous bind, don't specify t…

…he user name.

If AD is configured not to allow anonymous bind, it'll be recorded as a failed login attempt, and depending on the security policy in question, it can lock the user out.
  • Loading branch information
kohsuke committed Apr 26, 2012
1 parent feef048 commit 1c4d2ee8b341426490db97fb5a72541ffdb1eec7
Showing with 13 additions and 4 deletions.
  1. +13 −4 src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
@@ -409,11 +409,20 @@ private LdapContext bind(String principalName, String password, SocketInfo serve
}
}

// authenticate after upgrading to TLS, so that the credential won't go in clear text
context.addToEnvironment(Context.SECURITY_PRINCIPAL, principalName);
context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
if (principalName==null || password==null || password.equals("")) {
// anonymous bind. LDAP uses empty password as a signal to anonymous bind (RFC 2829 5.1),
// which means it can never be the actual user password.
context.addToEnvironment(Context.SECURITY_AUTHENTICATION, "none");
} else {
// authenticate after upgrading to TLS, so that the credential won't go in clear text
context.addToEnvironment(Context.SECURITY_PRINCIPAL, principalName);
context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
}

// this is supposed to cause the LDAP bind operation with the server,
// but I notice that AD may still accept this and yet fail to search later
// but I notice that AD may still accept this and yet fail to search later,
// when I tried anonymous bind.
// if I do specify a wrong credential, this seems to fail.
context.reconnect(null);

return context; // worked

0 comments on commit 1c4d2ee

Please sign in to comment.
You can’t perform that action at this time.