#475 LDAP login with empty password - Rundeck Development

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#475 new

LDAP login with empty password

Reported by Alexei Bratuhin | November 15th, 2011 @ 08:21 AM

If LDAP servers supports anonymous sessions, then a login with an username (existing in LDAP) and empty password becomes possible.
The problem is that call to InitialDirContext constructor doesn't require an AD bind and if Context.SECURITY_CREDENTIALS contains empty string authentication method 'none' (anonymous) is used.

Affected: Rundeck 1.3+ with implemented
http://rundeck.lighthouseapp.com/projects/59277-development/tickets...
See commit https://github.com/coiouhkc/rundeck/commit/a8f999efc66d2131800fd53e...

Possible workaround is:
JettyCachingLdapLoginModule.java, ll.528-534

String pass = (String) password;

Hashtable environment = getEnvironment();
environment.put(Context.SECURITY_PRINCIPAL, userDn);
environment.put(Context.SECURITY_CREDENTIALS, (pass.trim().isEmpty() ? "password_that_would_be never_used" : pass));

DirContext dirContext = new InitialDirContext(environment);

No comments found

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.