Active Directory principals can signin with a blank password

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: High
    • 1.0.7
    • Affects Version/s: 1.0.6
    • Component/s: Directory - LDAP
    • None
    • Environment:

      Crowd on Tomcat 5.5.20
      Sun JDK 1.5.0_11 on Ubuntu
      MySql 5 DB

      We have found that users can signin with a blank password. The configuration is a Crowd application with an Active Directory directory. Testing against a Crowd Internal directory does not yield the same results.

      Using the Config Test tab the following work as expected:

      • valid user with valid password succeeds
      • valid user with invalid password fails
      • invalid user fails

      But "valid user with no password succeeds" and this does not work when going direct using an LDAP client..

      The following is a log of invoking the application 'Config Test' with no password:

      ==================================================================

      16:00:40,298 DEBUG org.springframework.ldap.support.LdapContextSource: AuthenticationSource not set - using default implementation
      16:00:40,298 DEBUG org.springframework.ldap.support.LdapContextSource: Using LDAP pooling.
      16:00:40,298 DEBUG org.springframework.ldap.support.LdapContextSource: Trying provider Urls: ldap://mite.intsec.amnesty.org:389
      16:00:40,300 INFO crowd.integration.directory.connector.SpringLDAPConnector: Performing group search: baseDN = OU=Groups,OU=Intsec,DC=intsec,DC=amnesty,DC=org - filter = (objectclass=group)
      16:00:40,300 DEBUG org.springframework.ldap.support.LdapContextSource: Principal: 'CN=Ldap User,OU=Service Accounts,OU=Security Objects,OU=INTSEC,DC=intsec,DC=amnesty,DC=org'
      16:00:40,300 DEBUG org.springframework.ldap.support.LdapContextSource: Got Ldap context on server 'ldap://mite.intsec.amnesty.org:389'
      16:00:40,370 DEBUG atlassian.crowd.manager.directory.DirectoryManagerGeneric: authenticate: user alordan
      16:00:40,378 DEBUG org.springframework.ldap.support.LdapContextSource: AuthenticationSource not set - using default implementation
      16:00:40,378 DEBUG org.springframework.ldap.support.LdapContextSource: Using LDAP pooling.
      16:00:40,378 DEBUG org.springframework.ldap.support.LdapContextSource: Trying provider Urls: ldap://mite.intsec.amnesty.org:389
      16:00:40,380 INFO crowd.integration.directory.connector.SpringLDAPConnector: Performing search: baseDN = OU=Intsec,DC=intsec,DC=amnesty,DC=org - filter = (&(samAccountName=alordan)(memberOf=CN=jira-users,OU=Groups,OU=Intsec,DC=intsec,DC=amnesty,DC=org))
      16:00:40,381 DEBUG org.springframework.ldap.support.LdapContextSource: Principal: 'CN=Ldap User,OU=Service Accounts,OU=Security Objects,OU=INTSEC,DC=intsec,DC=amnesty,DC=org'
      16:00:40,381 DEBUG org.springframework.ldap.support.LdapContextSource: Got Ldap context on server 'ldap://mite.intsec.amnesty.org:389'
      16:00:40,384 DEBUG org.springframework.ldap.support.LdapContextSource: AuthenticationSource not set - using default implementation
      16:00:40,384 WARN org.springframework.ldap.support.LdapContextSource: Property 'password' not set - blank password will be used
      16:00:40,385 DEBUG org.springframework.ldap.support.LdapContextSource: Not using LDAP pooling
      16:00:40,385 DEBUG org.springframework.ldap.support.LdapContextSource: Trying provider Urls: ldap://mite.intsec.amnesty.org:389
      16:00:40,385 DEBUG org.springframework.ldap.support.LdapContextSource: Principal: 'cn=Anna Lordan, ou=Users, ou=Intsec, dc=intsec, dc=amnesty, dc=org'
      16:00:40,476 DEBUG org.springframework.ldap.support.LdapContextSource: Got Ldap context on server 'ldap://mite.intsec.amnesty.org:389'
      16:00:40,476 INFO crowd.integration.directory.connector.SpringLDAPConnector: Performing principal search: baseDN = OU=Intsec,DC=intsec,DC=amnesty,DC=org - filter = (&(samAccountName=alordan)(memberOf=CN=jira-users,OU=Groups,OU=Intsec,DC=intsec,DC=amnesty,DC=org))
      16:00:40,476 DEBUG org.springframework.ldap.support.LdapContextSource: Principal: 'CN=Ldap User,OU=Service Accounts,OU=Security Objects,OU=INTSEC,DC=intsec,DC=amnesty,DC=org'
      16:00:40,476 DEBUG org.springframework.ldap.support.LdapContextSource: Got Ldap context on server 'ldap://mite.intsec.amnesty.org:389'
      16:00:40,480 DEBUG com.atlassian.crowd.manager.GenericManager: generateToken: user alordan
      16:00:40,484 DEBUG com.atlassian.crowd.manager.GenericManager: no existing token found in db
      16:00:40,484 DEBUG com.atlassian.crowd.manager.GenericManager: adding token MLpTxg26p8+9abvhSdHdPw== for name alordan
      16:00:40,484 DEBUG atlassian.crowd.manager.directory.DirectoryManagerGeneric: user has access to the application jira
      16:00:40,500 DEBUG integration.service.soap.client.GenericClient: Connection URL: http://localhost:8095/crowd/services/SecurityServer
      16:00:40,500 DEBUG integration.service.soap.client.GenericClient: Using existing token: YmPV7EUv0UCOTjpDQI4xVA==
      16:00:40,503 DEBUG integration.service.soap.xfire.XFireInLoggingMethodHandler: SOAP service method: isValidPrincipalToken
      com.atlassian.crowd.integration.authentication.AuthenticatedToken@a7b7ff[name=crowd,token=YmPV7EUv0UCOTjpDQI4xVA==]
      Ty0YgdDNDbGeHl3+H+qTnQ==
      com.atlassian.crowd.integration.authentication.ValidationFactor@120f0be[name=User-Agent,value=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20061201 Firefox/2.0.0.3 (Ubuntu-feisty)]
      com.atlassian.crowd.integration.authentication.ValidationFactor@19d4a86[name=remote_address,value=128.1.34.254]

      ==================================================================

      Is anyone else seeing this also?

              Assignee:
              Justen Stepka [Atlassian]
              Reporter:
              Chris Hatch
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: