New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP login with empty password #115

Closed
gschueler opened this Issue Jun 23, 2012 · 0 comments

Comments

Projects
None yet
1 participant
@gschueler
Copy link
Member

gschueler commented Jun 23, 2012

If LDAP servers supports anonymous sessions, then a login with an username (existing in LDAP) and empty password becomes possible.
The problem is that call to InitialDirContext constructor doesn't require an AD bind and if Context.SECURITY_CREDENTIALS contains empty string authentication method 'none' (anonymous) is used.

Affected: Rundeck 1.3+ with implemented
http://rundeck.lighthouseapp.com/projects/59277-development/tickets/474-feature-request-hybrid-ldapproperties-login-module
See commit coiouhkc@a8f999e

Possible workaround is:
JettyCachingLdapLoginModule.java, ll.528-534

String pass = (String) password;

Hashtable environment = getEnvironment();
environment.put(Context.SECURITY_PRINCIPAL, userDn);
environment.put(Context.SECURITY_CREDENTIALS, (pass.trim().isEmpty() ? "password_that_would_be never_used" : pass));

DirContext dirContext = new InitialDirContext(environment);

original LH ticket

Original Creator: Alexei Bratuhin

@gschueler gschueler closed this in 915adc0 Jan 7, 2019

gschueler added a commit that referenced this issue Jan 7, 2019

@gschueler gschueler added this to the 3.0.12 milestone Jan 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment