Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.5.4
    • Fix Version/s: 2.0.0-M13
    • Component/s: core
    • Labels:
      None

      Description

      Recently upgraded to the 1.5 branch (1.5.4). Nice new feature set. While fiddling with the settings I noticed this option:
      <simpleMechanismHandler mech-name="SIMPLE"/>
      under the saslMechanismHandlers header. So, I assumed that, based on the name, one is to understand that (since SASL PLAIN and LDAP SIMPLE are a 1:1 match) the ldap simple/sasl plain authentication can be deactivated. After commenting the above mentioned setting, SASL PLAIN is no longer mentioned in "supportedSASLMechanisms" and if one attempts to use it, a javax.naming.AuthenticationNotSupportedException is what one gets. Unfortunately, if one tries to use SIMPLE as an authentication mechanism, the bind succeeds. This also holds true for the 1.5.5 trunk (as of 3/9/2009). This can be fixed by adding a typical is/set pair for a boolean value, just like the case for anonymous access, in org.apache.directory.server.core.DirectoryService.java, making a check when authenticate() is called in org.apache.directory.server.core.SimpleAuthenticator and adding the relevant setting to defaultDirectoryService in server.xml. Did this myself, seems to work as intended.

        Activity

        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        1529d 15h 10m 1 Emmanuel Lecharny 16/May/13 17:00
        Resolved Resolved Closed Closed
        34d 17h 12m 1 Emmanuel Lecharny 20/Jun/13 10:12
        Emmanuel Lecharny made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Emmanuel Lecharny made changes -
        Fix Version/s 2.0.0-M13 [ 12324631 ]
        Fix Version/s 2.0.0-RC1 [ 12313387 ]
        Emmanuel Lecharny made changes -
        Resolution Fixed [ 1 ]
        Status Open [ 1 ] Resolved [ 5 ]
        Hide
        Emmanuel Lecharny added a comment -

        I modified the way we initialize the Authenticator so that they are not loaded when they are disabled in the configuration

        Show
        Emmanuel Lecharny added a comment - I modified the way we initialize the Authenticator so that they are not loaded when they are disabled in the configuration
        Pierre-Arnaud Marcelot made changes -
        Fix Version/s 2.0.0-RC1 [ 12313387 ]
        Fix Version/s 2.0.0-M3 [ 12316467 ]
        Hide
        Pierre-Arnaud Marcelot added a comment -

        Version 2.0.0-M3 has been released a couple months ago.

        Assigned the remaining opened JIRA to the next iteration (2.0.0-M4).

        Show
        Pierre-Arnaud Marcelot added a comment - Version 2.0.0-M3 has been released a couple months ago. Assigned the remaining opened JIRA to the next iteration (2.0.0-M4).
        Pierre-Arnaud Marcelot made changes -
        Fix Version/s 2.0.0-M3 [ 12316467 ]
        Fix Version/s 2.0.0-M2 [ 12316056 ]
        Pierre-Arnaud Marcelot made changes -
        Fix Version/s 2.0.0-M2 [ 12316056 ]
        Fix Version/s 2.0.0-M1 [ 12316055 ]
        Hide
        Pierre-Arnaud Marcelot added a comment -

        Version 2.0.0-M1 has been released.
        Moving all related non-resolved issues to the next version.

        Show
        Pierre-Arnaud Marcelot added a comment - Version 2.0.0-M1 has been released. Moving all related non-resolved issues to the next version.
        Hide
        Pierre-Arnaud Marcelot added a comment -

        Version 2.0.0-M1 has been released.
        Moving all related non-resolved issues to the next version.

        Show
        Pierre-Arnaud Marcelot added a comment - Version 2.0.0-M1 has been released. Moving all related non-resolved issues to the next version.
        Emmanuel Lecharny made changes -
        Fix Version/s 2.0-M1 [ 12316055 ]
        Fix Version/s 2.0.0-RC1 [ 12313387 ]
        Hide
        Emmanuel Lecharny added a comment -

        There are 2 different methods for authentication : Simple and SASL. It's combined with some mechanisms and some secure layer (SSL and TLS). RFC 4513 specifies the way all those elements are combined.

        Simple authentication method :

        • first, the simple anonymous authentication MUST be supported (RFC 4513, par. 2)
        • second, the simple name/password authentication MUST be supported (RFC 4513, par. 2) but SHOULD be disabled by default if either LDAPS or TLS is not used. This is not currently the case, and has to be fixed

        SASL authentication method :

        • PLAIN and ANONYMOUS SASL mechanisms are disabled, as they are already provided through the Simple method ( at least, they should be disabled)
        • the EXTERNAL mechanism can be used to establish an authentication using a lower security layer (TLS) (RFC 4513, par 5.1.3)

        All this has to be reviewed and documented.

        Show
        Emmanuel Lecharny added a comment - There are 2 different methods for authentication : Simple and SASL. It's combined with some mechanisms and some secure layer (SSL and TLS). RFC 4513 specifies the way all those elements are combined. Simple authentication method : first, the simple anonymous authentication MUST be supported (RFC 4513, par. 2) second, the simple name/password authentication MUST be supported (RFC 4513, par. 2) but SHOULD be disabled by default if either LDAPS or TLS is not used. This is not currently the case, and has to be fixed SASL authentication method : PLAIN and ANONYMOUS SASL mechanisms are disabled, as they are already provided through the Simple method ( at least, they should be disabled) the EXTERNAL mechanism can be used to establish an authentication using a lower security layer (TLS) (RFC 4513, par 5.1.3) All this has to be reviewed and documented.
        Emmanuel Lecharny made changes -
        Field Original Value New Value
        Fix Version/s 2.0.0-RC1 [ 12313387 ]
        Hide
        Emmanuel Lecharny added a comment -

        Let's see if we can fix that for 2.0

        Show
        Emmanuel Lecharny added a comment - Let's see if we can fix that for 2.0
        Andreas Kyrmegalos created issue -

          People

          • Assignee:
            Unassigned
            Reporter:
            Andreas Kyrmegalos
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development