[seam-issues] [JBoss JIRA] Created: (JBSEAM-4635) LdapIdentityStore is unsecure if anonymous LDAP bind is enabled at the LDAP server
Flo Gle (JIRA)
jira-events at lists.jboss.org
Tue Apr 13 17:59:25 EDT 2010
LdapIdentityStore is unsecure if anonymous LDAP bind is enabled at the LDAP server
----------------------------------------------------------------------------------
Key: JBSEAM-4635
URL: https://jira.jboss.org/jira/browse/JBSEAM-4635
Project: Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.2.0.GA
Environment: -
Reporter: Flo Gle
According to RFC 2829 section 5.1 a ldap server may accept a empty password as anonymous login and allow the bind. RFC 4513 section 5.1.2 establishes new rules for the anonymous bind, but it disallows not the old method.
So if the ldap client sends a empty password string, the server can allow the bind. Using the LdapIdentityStore on a server that allows this binds results in a security problem: every username is accepted if the password is empty.
Fix is easy.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list