Ldap allows empty passwords when used for securing EAP6 console or applications secured on EAP 5

Solution Unverified - Updated -

Issue

  • We require the Admin Management Console to be locked down for use to a specific role group. The management realm allows blank passwords. So all that is needed to breach our security is a user id of someone in the role group.

    • Our Management realm section is as below
    <security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                    <ldap connection="ldap_connection" base-dn="CN=users,DC=domain1,DC=winldap,DC=loc,DC=example,DC=com" recursive="true">
                    </ldap>
                </authentication>
            </security-realm>
    
  • In EAP 5.x when application is secured with ldap using the application policy in $JBOSS_HOME(EAP5)/server/conf/login-config.xml as specified below, the user with black password is allowed to login:-

<application-policy name="MyLdapSecurityDomain">
    <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
        <module-option name="java.naming.provider.url">ldap://10.10.10.10:389</module-option>
        <module-option name="bindDN">cn=testuser,cn=Users,dc=mydomain,dc=com</module-option>
        <module-option name="bindCredential">password</module-option>
        <module-option name="baseCtxDN">dc=mydomain,dc=com</module-option>
        <module-option name="baseFilter">(sAMAccountName={0})</module-option>
        <module-option name="rolesCtxDN">OU=JBoss_Middleware,DC=mydomain,DC=com</module-option>
        <module-option name="roleFilter">(member={1})</module-option>
        <module-option name="roleAttributeID">memberOf</module-option>
        <module-option name="roleAttributeIsDN">true</module-option>
        <module-option name="roleNameAttributeID">cn</module-option>
        <module-option name="roleRecursion">-1</module-option>
        <module-option name="searchScope">SUBTREE_SCOPE</module-option>
       </login-module>
    </authentication>
  • Is there a functionality in EAP to check if the user exist in the Active Directory then the user can enter whithout giving user or password?

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 6.0
    • 5.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.