Possible Bug: Users are able to login without password (CVS & LDAP)

Openfire Openfire Support
21

Try to be a little more restrictive in your acls and remember that they are enforced top down.

http://sapiens.wustl.edu/~sysmain/info/openldap/openldap_configure_acl.html

For instance mine look like:

access to *

by group=“cn=LDAPAdmins,ou=DSA,dc=,dc=com” write

by dn=“cn=replicator,ou=DSA,dc=,dc=com” write

by * none break

access to dn.base=""

by * read

access to dn.base=“cn=Subschema”

by * read

  1. Sample security restrictions

  2. Require integrity protection (prevent hijacking)

  3. Require 112-bit (3DES or better) encryption for updates

  4. Require 63-bit encryption for simple bind

#security ssf=1 update_ssf=71 simple_bind=64

  1. users can authenticate and change their password

access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPasswordHistory,userPKC S12

by dn=“cn=Manager,dc=,dc=com” write

by self write

by anonymous auth

by * none

  1. Not currently using Kerberos

#access to attrs=krb5PrincipalName

  1. by ssf=56 * read

#access to attrs=krb5Key

  1. by dn=“cn=manager,dc=,dc=com” write

  2. by * none

access to dn.subtree=“ou=Idmap,dc=,dc=com”

by dn=“cn=winbind,ou=DSA,dc=,dc=com” write

by * none

access to *

by * read

Not fully comprehensive, but it’'s enough for our network as it stands.

What error messages are you getting from ldapwhoami?

Rob

22

Matt,

It’'s not possible to check to see if the password values are the

same in a generic way.

I thought that this is the default behavior of applications that do authentication with LDAP or do other developers also have to handle with this situation?

Can you give me an approximately date when the empty-password check will be available on CVS? Or can you guide me to a quick hack for my environment?

Rob,

unfortunately I’‘m not able (I don’'t have the permissions) to change anything in our LDAP environment, I have to find a way around this issue

ldapwhoami output:

  1. ldapwhoami -D dc=com -h localhost -W cn=person1,dc=domain

Enter bind password:

ldap_sasl_interactive_bind_s: No such attribute (16)

Regards,

Frank

23

By default, all the ldap* utilities try using a sasl bind which is the error you’'re getting.

You need to specify the -x to use a simple bind.

Rob

Edit:

Looks like you’'re also trying to bind as user “dc=com”

try: ldapwhoami -h localhost -D “cn=person1,dc=domain” -Wx

Message was edited by:

areobe

24

Thanks for that hint, now I get a result:

ldapwhoami -h localhost -D “cn=person1,dc=domain,dc=com” -Wx

Enter bind password:

dn:cn=person1,dc=domain,dc=com

Result: Success (0)

It seems that I’'m not authenticated as a guest … at least one good/right thing with our LDAP configuration here

25

CVS is updated now to not allow blank passwords for LDAP auth.

-Matt

26

Hey Matt,

I’‘m thinking that that change should at least be optional in a configuration variable. You’‘re almost getting into implementing a password policy which really should be in the realm of the ldap directory admin. It’'s perfectly valid to have a password policy of allowing blank passwords. Stupid, but valid.

Rob

27

CVS is updated now to not allow blank passwords for

LDAP auth.

Can you tell me what you’'ve changed for this? I would

like to implement these changes into the 2.1.2 sources.

Regards,

Frank

28

Here’'s the diff:

http://www.jivesoftware.org/fisheye/viewrep/cvs-org/messenger/src/java/org/jives oftware/messenger/ldap/LdapAuthProvider.java?r1=1.5&r2=1.6

29

Thanks!

30

I’'m new to this thread, but I have also noticed and experienced the blank password authentication problem being discussed here - in versions 2.1.1 and 2.1.2.

However, I was wondering if i was the only one who noticed that in addition to blank passwords, it also accepts passwords with nothing but spaces!

Exodus, for example, does not let you log in with a blank password, but if you hit the spacebar once - or any number of times, it will let you in!

I’'ve checked this with Pandion as well, and noticed the network traffic… and indeed, multiple spaces also authenticates successfully. Freaky!

Jive Messenger 2.1.2 running on a Windows 2003 server, communicating via LDAP to a Windows 2003 Active Directory domain controller running in 2000 native mode. Guest access disabled.

-Tom

31

Hi Tom,

I’‘ve checked that on our environment, no issue with passwords that only exists of blanks. Maybe that’‘s because of the changes in the JM source (no empty passwords allowed) but I’'m not sure about that.

You could try the CVS version or adapt the change (it’‘s only one line) into the 2.1.2 source (that’‘s what I’'ve done here).

Regards,

Frank

32

Don’‘t mean to get off topic here, but I think RADIUS authentication would solve this problem at least for AD users. RADIUS (via IAS) would allow Windows to do any and all necessary LDAP queries and would remove the burden from Jive. I’'m not sure if a similar RADIUS->LDAP bridge exists for other OSes or implimentations however. Anyone else know if they exist?

33

Frank,

I would love to try this new line of code, but unfortunately I’‘m just using the windows binaries and don’'t have the means to compile source.

If you have a windows binary for 2.1.2 already compiled with this change, i would be very grateful if you could send me a copy. My email address is below. Thank you!

Tom at Sarkoon d0t c0m

34

If you have a windows binary for 2.1.2 already

compiled with this change, i would be very grateful

if you could send me a copy. My email address is

below. Thank you!

I put up a nightly build of the exe in the daily builds section. It’'s listed as a 2.1.3 exe.

Regards,

Matt

35

Matt,

Thanks so much for the 2.1.3 installer. It works great and fixed the password issue for blank passwords as well as a passwords containing nothing but spaces.

-Tom