Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.5.4
    • Fix Version/s: 2.0.0-M13
    • Component/s: core
    • Labels:
      None

      Description

      Recently upgraded to the 1.5 branch (1.5.4). Nice new feature set. While fiddling with the settings I noticed this option:
      <simpleMechanismHandler mech-name="SIMPLE"/>
      under the saslMechanismHandlers header. So, I assumed that, based on the name, one is to understand that (since SASL PLAIN and LDAP SIMPLE are a 1:1 match) the ldap simple/sasl plain authentication can be deactivated. After commenting the above mentioned setting, SASL PLAIN is no longer mentioned in "supportedSASLMechanisms" and if one attempts to use it, a javax.naming.AuthenticationNotSupportedException is what one gets. Unfortunately, if one tries to use SIMPLE as an authentication mechanism, the bind succeeds. This also holds true for the 1.5.5 trunk (as of 3/9/2009). This can be fixed by adding a typical is/set pair for a boolean value, just like the case for anonymous access, in org.apache.directory.server.core.DirectoryService.java, making a check when authenticate() is called in org.apache.directory.server.core.SimpleAuthenticator and adding the relevant setting to defaultDirectoryService in server.xml. Did this myself, seems to work as intended.

        Activity

        Hide
        Emmanuel Lecharny added a comment -

        I modified the way we initialize the Authenticator so that they are not loaded when they are disabled in the configuration

        Show
        Emmanuel Lecharny added a comment - I modified the way we initialize the Authenticator so that they are not loaded when they are disabled in the configuration
        Hide
        Pierre-Arnaud Marcelot added a comment -

        Version 2.0.0-M3 has been released a couple months ago.

        Assigned the remaining opened JIRA to the next iteration (2.0.0-M4).

        Show
        Pierre-Arnaud Marcelot added a comment - Version 2.0.0-M3 has been released a couple months ago. Assigned the remaining opened JIRA to the next iteration (2.0.0-M4).
        Hide
        Pierre-Arnaud Marcelot added a comment -

        Version 2.0.0-M1 has been released.
        Moving all related non-resolved issues to the next version.

        Show
        Pierre-Arnaud Marcelot added a comment - Version 2.0.0-M1 has been released. Moving all related non-resolved issues to the next version.
        Hide
        Pierre-Arnaud Marcelot added a comment -

        Version 2.0.0-M1 has been released.
        Moving all related non-resolved issues to the next version.

        Show
        Pierre-Arnaud Marcelot added a comment - Version 2.0.0-M1 has been released. Moving all related non-resolved issues to the next version.
        Hide
        Emmanuel Lecharny added a comment -

        There are 2 different methods for authentication : Simple and SASL. It's combined with some mechanisms and some secure layer (SSL and TLS). RFC 4513 specifies the way all those elements are combined.

        Simple authentication method :

        • first, the simple anonymous authentication MUST be supported (RFC 4513, par. 2)
        • second, the simple name/password authentication MUST be supported (RFC 4513, par. 2) but SHOULD be disabled by default if either LDAPS or TLS is not used. This is not currently the case, and has to be fixed

        SASL authentication method :

        • PLAIN and ANONYMOUS SASL mechanisms are disabled, as they are already provided through the Simple method ( at least, they should be disabled)
        • the EXTERNAL mechanism can be used to establish an authentication using a lower security layer (TLS) (RFC 4513, par 5.1.3)

        All this has to be reviewed and documented.

        Show
        Emmanuel Lecharny added a comment - There are 2 different methods for authentication : Simple and SASL. It's combined with some mechanisms and some secure layer (SSL and TLS). RFC 4513 specifies the way all those elements are combined. Simple authentication method : first, the simple anonymous authentication MUST be supported (RFC 4513, par. 2) second, the simple name/password authentication MUST be supported (RFC 4513, par. 2) but SHOULD be disabled by default if either LDAPS or TLS is not used. This is not currently the case, and has to be fixed SASL authentication method : PLAIN and ANONYMOUS SASL mechanisms are disabled, as they are already provided through the Simple method ( at least, they should be disabled) the EXTERNAL mechanism can be used to establish an authentication using a lower security layer (TLS) (RFC 4513, par 5.1.3) All this has to be reviewed and documented.
        Hide
        Emmanuel Lecharny added a comment -

        Let's see if we can fix that for 2.0

        Show
        Emmanuel Lecharny added a comment - Let's see if we can fix that for 2.0

          People

          • Assignee:
            Unassigned
            Reporter:
            Andreas Kyrmegalos
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development