Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-513

LdapExtLoginModule breaks if bindCredential is missing

XMLWordPrintable

    • Hide

      Attempt to use LdapExtLoginModule with bindCredential not present in the configuration.

      Show
      Attempt to use LdapExtLoginModule with bindCredential not present in the configuration.
    • Hide

      Adding an empty string for the bindCredential but leaving bindDN not present may work, if the LDAP simply ignores any credentials when the user isn't set.

      Show
      Adding an empty string for the bindCredential but leaving bindDN not present may work, if the LDAP simply ignores any credentials when the user isn't set.

      LdapExtLoginModule got changed for SECURITY-422 to allow external commands to be run by prefixing the credential with

      {EXT}. It doesn't check for null first which breaks support for anonymous login added in JBAS-3555.

      The trivial fix is to change the following line in LdapExtLoginModule.createLdapInitContext()
      if (this.bindCredential.startsWith("{EXT}

      "))
      to
      if (this.bindCredential != null && this.bindCredential.startsWith("

      {EXT}

      "))

        1. SECURITY-513.patch
          0.8 kB

            mmoyses Marcus Moyses (Inactive)
            rhn-support-jlivings James Livingston (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: