search

instaclustr / cassandra-ldap

LDAP Authenticator for Apache Cassandra
Apache License 2.0
24 stars 16 forks source link

Empty password bypasses authentication #13

Closed ValkyrieOps closed 4 years ago

ValkyrieOps commented 4 years ago

Please answer these questions before submitting your issue. Thanks!

What version of Cassandra are you using?

3.11.5

What version of Cassandra LDAP are you using?

3.11.4

What LDAP server you are using? Any specifics?

Windows Server 2019

What did you do?

Run cqlsh -u ourdomainuser ourcassandrahost --cqlversion="3.4.4" When prompted for password just hit return

What did you expect to see?

Authentication fails with blank password

What did you see instead?

Authentication succeeds to any user specified, including one's that have never logged in before

Not sure if this is an errant configuration with our Domain however anonymous binding is not supported. Please let me know if there is any other information I can provide here.

smiklosovic commented 4 years ago

Hi @ValkyrieOps , if you have set this up correctly, I think the fact that your password is not set and you can log in is the reflection of the fact that empty password is fine for LDAP too. This plugin does nothing but it translates auth requests to LDAP so if empty password is fine for LDAP, it is fine for this plugin too. I would have to triple check this but at first it seems as the very reason you see this.

ValkyrieOps commented 4 years ago

@smiklosovic You are correct sorry for the trouble. Turns out we had user groups restricted for authentication but AD permits anonymous binding by default. Thanks again!