Openfire LDAP Login with wrong password possible

I successfully set up Openfire 4.2.1. to connect to our LDAP server (Apple Open Directory). It works fine, Openfire pulls groups and users etc.
But now I recognized the following: every user can login with anything as a password. So the passwords obviously get not checked against the LDAP server. This applies to the admin console as well as to the spark client.
The only logins that do not work are not existing users and empty passwords.

Any help is appreciated.

Does openfire provide any logging during these LDAP authentication attempts?

I’m unable to reproduce this issue with an Active Directory setup.

Sorry for the late answer. The problem still persists, even after reinstalling and reconfiguring openfire. How can I achieve a relevant log for this problem? (Maybe to post it here.)

Openfire stores various log files in the <openfire_home>/logs/ directory. The all.log file aggregates all other log files, and is most useful. If you can, please enable debug logging (via the Openfire admin console) and reproduce the problem, before grabbing the log files.

Hi,

we have the same Issue.

The setup:

Openfire 4.2.3 (The corresponding code was not changed in the master)
OpenLDAP (Anonymous Login enabled)

Steps to Reproduce:

  1. set up OpenLDAP server (with users and user groups and a login for the Openfire server). Allow Anonymous Login.
  2. activate StartTLS with an SSL certificate that does not match the hostname.
  3. set up Openfire with LDAP connection to OpenLDAP (activate StartTLS).

What happens:

  1. certificate validation fails at LdapManager.java#L716 (javax.net.ssl.SSLPeerUnverifiedException: hostname of the server ‘XXXXXXXXXXXX’ does not match the hostname in the server’s certificate.)
  2. the username and password are not set at LdapManager.java#L727
  3. the exception is intercepted and logged at LdapManager.java#L733
  4. LdapManager.java#L737 should actually throw an exception, but it doesn’t, since the context is valid for anonymous login. This will cause the user to be logged in.

Possible solution:

  1. do not catch LdapManager.java#L732
  2. do not catch LdapManager.java#L823
  3. do not catch LdapManager.java#L623

For our concrete problem it helped to disable the anonymous login in the OpenLDAP server (incorrectly configured). In addition, the certificate for the LDAP server had to contain the common name and the alternative name of the host name of the server.
However, it should not be possible for such a misconfiguration to cause the fallback to make it possible to log in with any password.
With ApacheDirectoryServer we could not reproduce the problem. We think it is because OpenLDAP does not require you to set “env.put(Context.SECURITY_AUTHENTICATION, “none”);” for the anonymous login, ApacheDirectoryServer does.

Logs:

09:45:44.578 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:1009) - LdapManager: Trying to find a user's DN based on their username. uid: anbraun, Base DN: dc="XXXXXXXXXXXXXXXXXXX",dc="XXXXXXXXXXXXXXXXXXX",dc="XXXXXXXXXXXXXXXXXXX"... 
09:45:44.578 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:509) - LdapManager: Creating a DirContext in LdapManager.getContext()... 
09:45:44.578 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:554) - LdapManager: connection pooling was requested but has been disabled because of StartTLS. 
09:45:44.578 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:578) - LdapManager: Created hashtable with context values, attempting to create context... 
09:45:44.579 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:586) - LdapManager: ... StartTlsRequest 
09:45:44.795 [Jetty-QTP-AdminConsole-31] ERROR (org.jivesoftware.openfire.ldap.LdapManager:629) - hostname of the server 'XXXXXXXXXXXXXXXXXXX' does not match the hostname in the server's certificate. 
javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'XXXXXXXXXXXXXXXXXXX' does not match the hostname in the server's certificate.
               at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:447)
               at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:225)
               at org.jivesoftware.openfire.ldap.LdapManager.getContext(LdapManager.java:601)
               at org.jivesoftware.openfire.ldap.LdapManager.findUserDN(LdapManager.java:1014)
               at org.jivesoftware.openfire.ldap.LdapManager.findUserDN(LdapManager.java:954)
               at org.jivesoftware.openfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.java:112)
               at org.jivesoftware.openfire.auth.AuthFactory.authenticate(AuthFactory.java:203)
               at org.jivesoftware.openfire.admin.login_jsp._jspService(login_jsp.java:189)
               at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
               at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
               at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
               at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:39)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
               at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:73)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
               at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:49)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
               at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:226)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
               at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:215)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
               at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
               at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
               at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
               at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
               at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
               at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
               at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
               at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
               at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
               at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
               at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
               at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
               at org.eclipse.jetty.server.Server.handle(Server.java:499)
               at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
               at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
               at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
               at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
               at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
               at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No name matching XXXXXXXXXXXXXXXXXXX found
               at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
               at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
               at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:426)
               ... 40 common frames omitted
09:45:44.795 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:634) - LdapManager: ... context created successfully, returning. 
09:45:44.796 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:1016) - LdapManager: Starting LDAP search... 
09:45:44.797 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:1036) - LdapManager: ... search finished 
09:45:44.797 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:651) - LdapManager: In LdapManager.checkAuthentication(userDN, password), userDN is: cn="XXXXXXXXXXXXXXXXXXX",ou="XXXXXXXXXXXXXXXXXXX",ou="XXXXXXXXXXXXXXXXXXX"... 
09:45:44.797 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:703) - LdapManager: Created context values, attempting to create context... 
09:45:44.798 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:710) - LdapManager: ... StartTlsRequest 
09:45:45.005 [Jetty-QTP-AdminConsole-31] ERROR (org.jivesoftware.openfire.ldap.LdapManager:738) - hostname of the server 'XXXXXXXXXXXXXXXXXXX' does not match the hostname in the server's certificate. 
javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'XXXXXXXXXXXXXXXXXXX' does not match the hostname in the server's certificate.
               at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:447)
               at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:225)
               at org.jivesoftware.openfire.ldap.LdapManager.checkAuthentication(LdapManager.java:721)
               at org.jivesoftware.openfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.java:115)
               at org.jivesoftware.openfire.auth.AuthFactory.authenticate(AuthFactory.java:203)
               at org.jivesoftware.openfire.admin.login_jsp._jspService(login_jsp.java:189)
               at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
               at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
               at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
               at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:39)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
               at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:73)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
               at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:49)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
               at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:226)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
               at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:215)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
               at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
               at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
               at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
               at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
               at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
               at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
               at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
               at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
               at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
               at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
               at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
               at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
               at org.eclipse.jetty.server.Server.handle(Server.java:499)
               at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
               at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
               at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
               at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
               at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
               at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No name matching XXXXXXXXXXXXXXXXXXX found
               at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
               at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
               at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:426)
               ... 38 common frames omitted
09:45:45.005 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:879) - LdapManager: In lookupExistence(ctx, dn, returnattrs), searchdn is: cn="XXXXXXXXXXXXXXXXXXX",ou="XXXXXXXXXXXXXXXXXXX",ou="XXXXXXXXXXXXXXXXXXX",dc="XXXXXXXXXXXXXXXXXXX",dc="XXXXXXXXXXXXXXXXXXX",dc="XXXXXXXXXXXXXXXXXXX" 
09:45:45.007 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:910) - LdapManager: .... lookupExistence: DN found. 
09:45:45.007 [Jetty-QTP-AdminConsole-31] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:749) - LdapManager: ... context created successfully, returning. 
09:45:45.016 [Jetty-QTP-AdminConsole-34] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:509) - LdapManager: Creating a DirContext in LdapManager.getContext()... 
09:45:45.016 [Jetty-QTP-AdminConsole-34] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:554) - LdapManager: connection pooling was requested but has been disabled because of StartTLS. 
09:45:45.016 [Jetty-QTP-AdminConsole-34] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:578) - LdapManager: Created hashtable with context values, attempting to create context... 
09:45:45.018 [Jetty-QTP-AdminConsole-34] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:586) - LdapManager: ... StartTlsRequest 
09:45:45.235 [Jetty-QTP-AdminConsole-34] ERROR (org.jivesoftware.openfire.ldap.LdapManager:629) - hostname of the server 'XXXXXXXXXXXXXXXXXXX' does not match the hostname in the server's certificate. 
javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'XXXXXXXXXXXXXXXXXXX' does not match the hostname in the server's certificate.
               at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:447)
               at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:225)
               at org.jivesoftware.openfire.ldap.LdapManager.getContext(LdapManager.java:601)
               at org.jivesoftware.openfire.ldap.LdapUserProvider.loadUser(LdapUserProvider.java:110)
               at org.jivesoftware.openfire.user.UserManager.getUser(UserManager.java:270)
               at org.jivesoftware.util.WebManager.getUser(WebManager.java:172)
               at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:210)
               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
               at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
               at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
               at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
               at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
               at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
               at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
               at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
               at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
               at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
               at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
               at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
               at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
               at org.eclipse.jetty.server.Server.handle(Server.java:499)
               at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
               at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
               at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
               at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
               at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
               at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No name matching XXXXXXXXXXXXXXXXXXX found
               at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
               at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
               at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:426)
               ... 26 common frames omitted
09:45:45.235 [Jetty-QTP-AdminConsole-34] DEBUG (org.jivesoftware.openfire.ldap.LdapManager:634) - LdapManager: ... context created successfully, returning.

Thanks for the detailed report. https://issues.igniterealtime.org/browse/OF-1723