3 Replies Latest reply on Feb 4, 2008 8:10 AM by barramundi

LdapExtLoginModule.java bug? Blank password login successful

barramundi Feb 4, 2008 1:38 AM

Is it me or is it a bug?
I tried to login with a username that exist in LDAP but with BLANK password.
The login was successful.

login-config.xml Configuration as below

<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://127.0.0.1:389</module-option>
<module-option name="bindDN">cn=Directory Manager</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">ou=People,o=domain.com</module-option>
<module-option name="baseFilter">(uid={0})</module-option>

<module-option name="rolesCtxDN">ou=Groups,o=domain.com</module-option>
<module-option name="roleFilter">(uniqueMember={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleNameAttributeID">cn</module-option>

<module-option name="roleRecursion">2</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
</login-module>

1. Re: LdapExtLoginModule.java bug? Blank password login succes

jaikiran Feb 4, 2008 3:43 AM (in response to barramundi)

Are you sure this login configuration is being used for authenticating? Are you doing a programatic login or container managed login? If you are using container managed login, have you configured the security-domain in the jboss-web.xml? What do the TRACE level logs from security package, show? See Q4 at http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ to enable TRACE level logs.
Actions
2. Re: LdapExtLoginModule.java bug? Blank password login succes

behmen Feb 4, 2008 5:19 AM (in response to barramundi)

its not a bug, its a feature ;-(
you must set this in the loginconfig:

<module-option name="allowEmptyPasswords">false</module-option>
Actions
3. Re: LdapExtLoginModule.java bug? Blank password login succes

barramundi Feb 4, 2008 8:10 AM (in response to barramundi)

Cool!
I tried the allowEmptyPasswords option. Works like a charm.
Actions

Go to original post