You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2010/06/19 10:09:24 UTC

[jira] Commented: (DIRSERVER-1325) Simple Authentication can not be disabled

    [ https://issues.apache.org/jira/browse/DIRSERVER-1325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12880453#action_12880453 ] 

Emmanuel Lecharny commented on DIRSERVER-1325:
----------------------------------------------

There are 2 different methods for authentication : Simple and SASL. It's combined with some mechanisms and some secure layer (SSL and TLS). RFC 4513 specifies the way all those elements are combined.

Simple authentication method :
- first, the simple anonymous authentication MUST be supported (RFC 4513, par. 2)
- second, the simple name/password authentication MUST be supported (RFC 4513, par. 2) but SHOULD be disabled by default if either LDAPS or TLS is not used. This is not currently the case, and has to be fixed

SASL authentication method :
- PLAIN and ANONYMOUS SASL mechanisms are disabled, as they are already provided through the Simple method ( at least, they should be disabled)
- the EXTERNAL mechanism can be used to establish an authentication using a lower security layer (TLS) (RFC 4513, par 5.1.3)

All this has to be reviewed and documented.

> Simple Authentication can not be disabled
> -----------------------------------------
>
>                 Key: DIRSERVER-1325
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1325
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 1.5.4
>            Reporter: Andreas Kyrmegalos
>            Priority: Minor
>             Fix For: 2.0.0-RC1
>
>
> Recently upgraded to the 1.5 branch (1.5.4). Nice new feature set. While fiddling with the settings I noticed this option:
>  <simpleMechanismHandler mech-name="SIMPLE"/>
> under the saslMechanismHandlers header. So, I assumed that, based on the name, one is to understand that (since SASL PLAIN and LDAP SIMPLE are a 1:1 match) the ldap simple/sasl plain authentication can be deactivated. After commenting the above mentioned setting, SASL PLAIN is no longer mentioned in "supportedSASLMechanisms" and if one attempts to use it, a javax.naming.AuthenticationNotSupportedException is what one gets. Unfortunately, if one tries to use SIMPLE as an authentication mechanism, the bind succeeds. This also holds true for the 1.5.5 trunk (as of 3/9/2009). This can be fixed by adding a typical is/set pair for a boolean value, just like the case for anonymous access, in org.apache.directory.server.core.DirectoryService.java, making a check when authenticate() is called in org.apache.directory.server.core.SimpleAuthenticator and adding the relevant setting to defaultDirectoryService in server.xml. Did this myself, seems to work as intended.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.