You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Tobias Bocanegra (JIRA)" <ji...@apache.org> on 2014/09/07 07:58:28 UTC

[jira] [Resolved] (OAK-2078) Prevent null/empty passwords in ldap provider

     [ https://issues.apache.org/jira/browse/OAK-2078?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tobias Bocanegra resolved OAK-2078.
-----------------------------------
    Resolution: Fixed

fixed in r1622973

> Prevent null/empty passwords in ldap provider
> ---------------------------------------------
>
>                 Key: OAK-2078
>                 URL: https://issues.apache.org/jira/browse/OAK-2078
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.0.5
>            Reporter: Tobias Bocanegra
>            Assignee: Tobias Bocanegra
>             Fix For: 1.1
>
>
> LDAP specifies anonymous authentication by passing an empty password. The default LDAP provider in oak uses the bind method to validate the user credentials. passing a empty password wrongly authenticates the user against the repository, if the LDAP server is not secured enough.
> http://tools.ietf.org/html/rfc4513#section-5.1.1
> {quote}
> 5.1.1.  Anonymous Authentication Mechanism of Simple Bind
>    An LDAP client may use the anonymous authentication mechanism of the
>    simple Bind method to explicitly establish an anonymous authorization
>    state by sending a Bind request with a name value of zero length and
>    specifying the simple authentication choice containing a password
>    value of zero length.
> {quote}
> and further:
> {quote}
> Unauthenticated Bind operations can have significant security issues
>    (see Section 6.3.1).  In particular, users intending to perform
>    Name/Password Authentication may inadvertently provide an empty
>    password and thus cause poorly implemented clients to request
>    Unauthenticated access.  Clients SHOULD be implemented to require
>    user selection of the Unauthenticated Authentication Mechanism by
>    means other than user input of an empty password.  Clients SHOULD
>    disallow an empty password input to a Name/Password Authentication
>    user interface.  Additionally, Servers SHOULD by default fail
>    Unauthenticated Bind requests with a resultCode of
>    unwillingToPerform.
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)