DCM4CHEE Archive 5.30.0 ldap password seems to be hardcoded somewhere as "secret", the one in ldap.properties irrelevant - !!!potential security issue!!!

[nvulin]

Describe the bug

!POTENTIAL SECURITY ISSUE!

DCM4CHEE Archive 5.30.0 (for mysql): ldap password seems to be hardcoded somewhere as "secret" and password in ldap.properties seems to be irrelevant.

To Reproduce

Steps to reproduce the behavior:

1. Do the installation as per manual using e.g. "123" as ldap password. Be sure to have it registered in ldap.properties accordingly.
2. On deploying dcm4chee-arc-ear-5.30.0-mysql.ear you'll get

{"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" => {"WFLYCTL0080: Failed services" => {"jboss.deploymen
t.subunit.\"dcm4chee-arc-ear-5.30.0-mysql.ear\".\"dcm4chee-arc-service-5.30.0.jar\".component.ArchiveServiceImpl.START" => "java.lang.IllegalStateException: WFLYEE0042: Fai
led to construct component instance
    Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
    Caused by: javax.ejb.EJBException: org.jboss.weld.exceptions.WeldException: WELD-000049: Unable to invoke private void org.dcm4chee.arc.impl.ArchiveDeviceProducer.init(
) on org.dcm4chee.arc.impl.ArchiveDeviceProducer@1ddfb0a
    Caused by: org.jboss.weld.exceptions.WeldException: WELD-000049: Unable to invoke private void org.dcm4chee.arc.impl.ArchiveDeviceProducer.init() on org.dcm4chee.arc.im
pl.ArchiveDeviceProducer@1ddfb0a
    Caused by: java.lang.reflect.InvocationTargetException
    Caused by: javax.enterprise.inject.CreationException
    Caused by: org.dcm4che3.conf.api.ConfigurationException: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
    Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]"}}}}

3. Change ldap admin password using Apache Directory Studio to "secret". Even if the password in ldap.properties is still "123" the deployment of dcm4chee-arc-ear-5.30.0-mysql.ear will go trough smoothly.

Expected behavior

To be able to pick up your ldap admin password as you see fit, as long as you register it in ldap.properties properly.

Server config:

• Ubuntu 22.04.2 LTS server
• OpenLDAP: slapd 2.5.16+dfsg-0ubuntu0.22.04.1
• mysql Ver 8.0.34-0ubuntu0.22.04.1 for Linux on x86_64 ((Ubuntu))
• java -version openjdk version "11.0.20" 2023-07-18 OpenJDK Runtime Environment (build 11.0.20+8-post-Ubuntu-1ubuntu122.04) OpenJDK 64-Bit Server VM (build 11.0.20+8-post-Ubuntu-1ubuntu122.04, mixed mode, sharing)

Additional context NA

[gunterze]

Not reproducible:

$ cat docker-compose.yml 
version: "3"
services:
  ldap:
    image: dcm4che/slapd-dcm4chee:2.6.5-31.0
    environment:
      LDAP_ROOTPASS: 123
  db:
    image: dcm4che/postgres-dcm4chee:15.3-31
    environment:
      POSTGRES_DB: pacsdb
      POSTGRES_USER: pacs
      POSTGRES_PASSWORD: pacs
  arc:
    image: dcm4che/dcm4chee-arc-psql:5.31.0
    environment:
      LDAP_ROOTPASS: 123
      POSTGRES_DB: pacsdb
      POSTGRES_USER: pacs
      POSTGRES_PASSWORD: pacs
    depends_on:
      - ldap
      - db

$ docker-compose up -d
Creating network "dcm4chee-arc-psql_default" with the default driver
Creating dcm4chee-arc-psql_db_1   ... done
Creating dcm4chee-arc-psql_ldap_1 ... done
Creating dcm4chee-arc-psql_arc_1  ... done

$ docker-compose exec arc tail /opt/wildfly/standalone/log/server.log
2023-08-24 08:30:32,144 INFO  [org.dcm4che3.net.Connection] (EE-ManagedExecutorService-default-Thread-2) Start TCP Listener on /0.0.0.0:11112
2023-08-24 08:30:32,144 INFO  [org.dcm4che3.net.Connection] (EE-ManagedExecutorService-default-Thread-1) Start TCP Listener on /0.0.0.0:2575
2023-08-24 08:30:32,241 INFO  [org.dcm4che3.net.Connection] (EE-ManagedExecutorService-default-Thread-3) Start TCP Listener on /0.0.0.0:12575
2023-08-24 08:30:32,241 INFO  [org.dcm4che3.net.Connection] (EE-ManagedExecutorService-default-Thread-4) Start TCP Listener on /0.0.0.0:2762
2023-08-24 08:30:32,363 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 45) WFLYSRV0010: Deployed "dcm4chee-arc-ui2-5.31.0.war" (runtime-name : "dcm4chee-arc-ui2-5.31.0.war")
2023-08-24 08:30:32,364 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 45) WFLYSRV0010: Deployed "dcm4chee-arc-ear-5.31.0-psql.ear" (runtime-name : "dcm4chee-arc-ear-5.31.0-psql.ear")
2023-08-24 08:30:32,392 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
2023-08-24 08:30:32,395 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: WildFly Full 26.1.2.Final (WildFly Core 18.1.2.Final) started in 7700ms - Started 3129 of 3345 services (456 services are lazy, passive or on-demand) - Server configuration file in use: dcm4chee-arc.xml
2023-08-24 08:30:32,396 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0062: Http management interface listening on http://0.0.0.0:9990/management and https://0.0.0.0:9993/management

$ docker-compose exec ldap ldapsearch -xw secret -Dcn=admin,dc=dcm4che,dc=org -s base -b dc=dcm4che,dc=org
ldap_bind: Invalid credentials (49)

$ docker-compose exec ldap ldapsearch -xw 123 -Dcn=admin,dc=dcm4che,dc=org -s base -b dc=dcm4che,dc=org
# extended LDIF
#
# LDAPv3
# base <dc=dcm4che,dc=org> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# dcm4che.org
dn: dc=dcm4che,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: dcm4che.org
dc: dcm4che

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[nvulin]

You are trying to reproduce on docker install while the installation this happens on is a manual installation from scratch directly on ubuntu 22 LTS, not a container/docker one. It reproduces easily, as I tried and retried reinstalling few times starting with new ubuntu 22 setup and building up according to manual. Does not work unless ldap pass is "secret".