[jboss-jira] [JBoss JIRA] (AS7-6108) The LDAP Realm used for the management interfaces and Remoting connectors is incorrectly accepting empty passwords as being valid.
RH Bugzilla Integration (JIRA)
jira-events at lists.jboss.org
Thu Feb 14 23:37:56 EST 2013
[ https://issues.jboss.org/browse/AS7-6108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
RH Bugzilla Integration updated AS7-6108:
-----------------------------------------
Bugzilla Update: Perform
Bugzilla References: https://bugzilla.redhat.com/show_bug.cgi?id=901251
> The LDAP Realm used for the management interfaces and Remoting connectors is incorrectly accepting empty passwords as being valid.
> ----------------------------------------------------------------------------------------------------------------------------------
>
> Key: AS7-6108
> URL: https://issues.jboss.org/browse/AS7-6108
> Project: Application Server 7
> Issue Type: Bug
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Blocker
> Fix For: 7.2.0.Alpha1
>
>
> Verification of the remote user is performed by attempting to bind to LDAP using the credentials supplied by the remote user, a successful bind is taken to mean that the supplied credentials are correct.
> However some LDAP servers (Active Directory is one example) allow the empty password as an anonymous binding, this means that the realm assumes the password was correct whilst the LDAP server did not validate the password.
> This Jira issue is to change the default behaviour so empty passwords are not accepted at all and to add a configuration attribute to allow the use of empty passwords should they really be desired.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list