You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Tobias Bocanegra (JIRA)" <ji...@apache.org> on 2014/09/07 07:17:28 UTC
[jira] [Assigned] (OAK-2078) Prevent null/empty passwords in ldap
provider
[ https://issues.apache.org/jira/browse/OAK-2078?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tobias Bocanegra reassigned OAK-2078:
-------------------------------------
Assignee: Tobias Bocanegra
> Prevent null/empty passwords in ldap provider
> ---------------------------------------------
>
> Key: OAK-2078
> URL: https://issues.apache.org/jira/browse/OAK-2078
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.5
> Reporter: Tobias Bocanegra
> Assignee: Tobias Bocanegra
> Fix For: 1.1
>
>
> LDAP specifies anonymous authentication by passing an empty password. The default LDAP provider in oak uses the bind method to validate the user credentials. passing a empty password wrongly authenticates the user against the repository, if the LDAP server is not secured enough.
> http://tools.ietf.org/html/rfc4513#section-5.1.1
> {quote}
> 5.1.1. Anonymous Authentication Mechanism of Simple Bind
> An LDAP client may use the anonymous authentication mechanism of the
> simple Bind method to explicitly establish an anonymous authorization
> state by sending a Bind request with a name value of zero length and
> specifying the simple authentication choice containing a password
> value of zero length.
> {quote}
> and further:
> {quote}
> Unauthenticated Bind operations can have significant security issues
> (see Section 6.3.1). In particular, users intending to perform
> Name/Password Authentication may inadvertently provide an empty
> password and thus cause poorly implemented clients to request
> Unauthenticated access. Clients SHOULD be implemented to require
> user selection of the Unauthenticated Authentication Mechanism by
> means other than user input of an empty password. Clients SHOULD
> disallow an empty password input to a Name/Password Authentication
> user interface. Additionally, Servers SHOULD by default fail
> Unauthenticated Bind requests with a resultCode of
> unwillingToPerform.
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)