search

dwimberger / crowd-ldap-server

Implementation of an LDAP server that delegates authentication to an Atlassian Crowd installation using the Crowd REST API.
Apache License 2.0
71 stars 59 forks source link

Defaulting to Bind anonymous on CrowdAuthenticator #2

Closed bantunes closed 10 years ago

bantunes commented 11 years ago

When performing a second, bind; on crowd-ldap-server; it seems to perform Anonymous Authentication.

Examining the code on class net.wimpi.crowd.ldap.CrowdAuthenticator in authenticate method; if it fails authenticating, it returns an LdapPrincipal.ANONYMOUS,

Typical, authenticators that use LDAP for authenticate; will perform two binds:

Integrating the crowd-ldap-server with kind of applications (tested with gitblit); the second bind succeeds, and application can assume that user are authenticated.

I tested performed a simple changed (that works) on your implementation in order to not default do Anonymous, throwing instead an authentication exception

With simple the second bind will fail when passing wrong credentials.

Proposed Change:

diff --git a/src/main/java/net/wimpi/crowd/ldap/CrowdAuthenticator.java b/src/main/java/net/wimpi/crowd/ldap/CrowdAuthenticator.java
index 49508c7..3bbcab4 100644
--- a/src/main/java/net/wimpi/crowd/ldap/CrowdAuthenticator.java
+++ b/src/main/java/net/wimpi/crowd/ldap/CrowdAuthenticator.java
@@ -38,14 +38,14 @@ public class CrowdAuthenticator extends AbstractAuthenticator {
       User u = m_CrowdClient.authenticateUser(user, pass);
       if(u == null) {
         log.debug(c_ResourceBundle.getString("crowdauthenticator.authentication.failed") + "()::Authentication failed");
-        return LdapPrincipal.ANONYMOUS;
+        throw new javax.naming.AuthenticationException("Invalid credentials for user: " + user);
       } else {
         log.debug(MessageFormat.format(c_ResourceBundle.getString("crowdauthenticator.user"), u.toString()));
         return new LdapPrincipal(ctx.getDn(), AuthenticationLevel.SIMPLE);
       }
     } catch (Exception ex) {
-      log.debug(c_ResourceBundle.getString("crowdauthenticator.authentication.failed") + "()::Authentication failed");
-      return LdapPrincipal.ANONYMOUS;
+      log.debug(c_ResourceBundle.getString("crowdauthenticator.authentication.failed") + "()::Authentication failed: " + ex );
+      throw new javax.naming.NamingException("Unable to perform authentication: " + ex);
     }
   }//authenticate

regards, Bruno Antunes

alapierre commented 10 years ago

I have the same problem with Alfresco - any user can login with proper login name and any passwort. This is really critical security bug. Any one, who knows login name can loggin. This fix works perfectly.

dwimberger commented 10 years ago

Actually, I always assumed that the anonymous state is correct:

       When the directory server receives a BIND request from a client, the authorization state of that
       connection is set to anonymous. If the BIND request is successful, the authorization state of the 
       connection is set to the state for the identity in the BIND request; if the BIND request is not
       successful, the session remains in the anonymous state.

http://www.ldapguru.info/ldap/authentication-best-practices.html

I don't see a reason for anonymous to be accepted as an authenticated user?

alapierre commented 10 years ago

mayby... but some apps considered anonymous as athenticated user - this is fakt. I konow two (OpenVPN, Alfresco). This is very bad when vpn accept any user... The same applications integrated with AD works fine - I will tested it. So, where is the bug?

alapierre commented 10 years ago

Apache directory studio is the fourth app

bantunes commented 10 years ago

It think it should only bind anonymous, if passed credentials (user and password) are null; and even this can depend on configurations in LDAP server. Binding as anonymous can also be denied.

The anonymous can be considered as an "authenticated" user if binding succeeds. Its the anonymous user; it will have the access permissions that are defined for it

best regards, Bruno Antunes

dwimberger commented 10 years ago

I take a look at this when I am back in town :)

Meanwhile you should probably check if you can configure authorization, because the anonymous user should not have any groups.

There is also an AD mode that you can activate, that allows to retrieve the groups with the user entry.

Regards, Dieter

dwimberger commented 10 years ago

Changes added.

I still recommend to check for authorization, especially when it comes to services like OpenVPN and your Document Repository.....