#475 new
Alexei Bratuhin

LDAP login with empty password

Reported by Alexei Bratuhin | November 15th, 2011 @ 08:21 AM

If LDAP servers supports anonymous sessions, then a login with an username (existing in LDAP) and empty password becomes possible.
The problem is that call to InitialDirContext constructor doesn't require an AD bind and if Context.SECURITY_CREDENTIALS contains empty string authentication method 'none' (anonymous) is used.

Affected: Rundeck 1.3+ with implemented
See commit https://github.com/coiouhkc/rundeck/commit/a8f999efc66d2131800fd53e...

Possible workaround is:
JettyCachingLdapLoginModule.java, ll.528-534

String pass = (String) password;

Hashtable environment = getEnvironment();
environment.put(Context.SECURITY_PRINCIPAL, userDn);
environment.put(Context.SECURITY_CREDENTIALS, (pass.trim().isEmpty() ? "password_that_would_be never_used" : pass));

DirContext dirContext = new InitialDirContext(environment);

No comments found

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

(DEPRECATED) Please use github issues for issue tracking at http://github.com/dtolabs/rundeck/issues

Shared Ticket Bins

People watching this ticket