Closed derekwilhelm closed 8 months ago
build now
starting hero
Internal build has been started, your results will be available at build completion.
Build FAILURE See the job results in legacy Jenkins UI or in Blue Ocean UI.
Internal build has been started, your results will be available at build completion.
Build SUCCESS See the job results in legacy Jenkins UI or in Blue Ocean UI.
Hero passed 🎉
What does this PR do?
The LDAP login module allows a password to be empty when attempting to authenticate a user. This leaves the authentication decision up to the LDAP server as to how to process an empty password. If the LDAP server allows unauthenticated bind operations, this will make the LDAP login module assume the password was correct and the user is authorized for login even though the password was not correct/supplied. This means that any user would be able to login as another valid LDAP user without supplying a password. While most LDAP servers should not be configured with this enabled, if it is enabled then this would be a security hole and DDF should not allow unauthenticated access. Guest access should be utilized instead.
This PR changes the SslLdapLoginModule to short circuit the login process if a password is not supplied or is blank.
Who is reviewing it?
@alexabird @jlcsmith
Select relevant component teams:
@codice/security
Ask 2 committers to review/merge the PR and tag them here.
@andrewkfiedler @pklinef
How should this be tested?
Set up an LDAP server (i.e. OpenLDAP) and configure some users (create an ssh group and add at least one user to it) Configure the Security JAAS LDAP configuration to point to the LDAP server Configure the Karaf console login to use ldap Restart DDF Using the client script in the DDF bin directory, attempt to login using a user defined in LDAP Supply the proper password and verify the user is allowed to login Attempt the login again but this time don't supply a password (or type spaces) Verify that the user is not allowed to login and that an INFO log is generated in the ddf log that looks like:
12:21:55,279 | INFO | 5]-nio2-thread-2 | ddf.ldap.ldaplogin.SslLdapLoginModule 173 | security-jaas-ldap | No password supplied for LDAP login for user user01. Unauthenticated LDAP bind not allowed
Any background context you want to provide?
What are the relevant tickets?
Fixes: #____
Screenshots
Checklist:
Notes on Review Process
Please see Notes on Review Process for further guidance on requirements for merging and abbreviated reviews.
Review Comment Legend: