Closed bantunes closed 10 years ago
I have the same problem with Alfresco - any user can login with proper login name and any passwort. This is really critical security bug. Any one, who knows login name can loggin. This fix works perfectly.
Actually, I always assumed that the anonymous state is correct:
When the directory server receives a BIND request from a client, the authorization state of that
connection is set to anonymous. If the BIND request is successful, the authorization state of the
connection is set to the state for the identity in the BIND request; if the BIND request is not
successful, the session remains in the anonymous state.
http://www.ldapguru.info/ldap/authentication-best-practices.html
I don't see a reason for anonymous to be accepted as an authenticated user?
mayby... but some apps considered anonymous as athenticated user - this is fakt. I konow two (OpenVPN, Alfresco). This is very bad when vpn accept any user... The same applications integrated with AD works fine - I will tested it. So, where is the bug?
Apache directory studio is the fourth app
It think it should only bind anonymous, if passed credentials (user and password) are null; and even this can depend on configurations in LDAP server. Binding as anonymous can also be denied.
The anonymous can be considered as an "authenticated" user if binding succeeds. Its the anonymous user; it will have the access permissions that are defined for it
best regards, Bruno Antunes
I take a look at this when I am back in town :)
Meanwhile you should probably check if you can configure authorization, because the anonymous user should not have any groups.
There is also an AD mode that you can activate, that allows to retrieve the groups with the user entry.
Regards, Dieter
Changes added.
I still recommend to check for authorization, especially when it comes to services like OpenVPN and your Document Repository.....
When performing a second, bind; on crowd-ldap-server; it seems to perform Anonymous Authentication.
Examining the code on class net.wimpi.crowd.ldap.CrowdAuthenticator in authenticate method; if it fails authenticating, it returns an LdapPrincipal.ANONYMOUS,
Typical, authenticators that use LDAP for authenticate; will perform two binds:
Integrating the crowd-ldap-server with kind of applications (tested with gitblit); the second bind succeeds, and application can assume that user are authenticated.
I tested performed a simple changed (that works) on your implementation in order to not default do Anonymous, throwing instead an authentication exception
With simple the second bind will fail when passing wrong credentials.
Proposed Change:
regards, Bruno Antunes