Ldap allows empty passwords when used for securing EAP6 console or applications secured on EAP 5

Solution Unverified - Updated -

Issue

  • We require the Admin Management Console to be locked down for use to a specific role group. The management realm allows blank passwords. So all that is needed to breach our security is a user id of someone in the role group.

    • Our Management realm section is as below
    <security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                    <ldap connection="ldap_connection" base-dn="CN=users,DC=domain1,DC=winldap,DC=loc,DC=example,DC=com" recursive="true">
                    </ldap>
                </authentication>
            </security-realm>
    
  • In EAP 5.x when application is secured with ldap using the application policy in $JBOSS_HOME(EAP5)/server/conf/login-config.xml as specified below, the user with black password is allowed to login:-

<application-policy name="MyLdapSecurityDomain">
    <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
        <module-option name="java.naming.provider.url">ldap://10.10.10.10:389</module-option>
        <module-option name="bindDN">cn=testuser,cn=Users,dc=mydomain,dc=com</module-option>
        <module-option name="bindCredential">password</module-option>
        <module-option name="baseCtxDN">dc=mydomain,dc=com</module-option>
        <module-option name="baseFilter">(sAMAccountName={0})</module-option>
        <module-option name="rolesCtxDN">OU=JBoss_Middleware,DC=mydomain,DC=com</module-option>
        <module-option name="roleFilter">(member={1})</module-option>
        <module-option name="roleAttributeID">memberOf</module-option>
        <module-option name="roleAttributeIsDN">true</module-option>
        <module-option name="roleNameAttributeID">cn</module-option>
        <module-option name="roleRecursion">-1</module-option>
        <module-option name="searchScope">SUBTREE_SCOPE</module-option>
       </login-module>
    </authentication>
  • Is there a functionality in EAP to check if the user exist in the Active Directory then the user can enter whithout giving user or password?

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 6.0
    • 5.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In