Ldap allows empty passwords when used for securing EAP6 console or applications secured on EAP 5

Solution Unverified - Updated -

Issue

  • We require the Admin Management Console to be locked down for use to a specific role group. The management realm allows blank passwords. So all that is needed to breach our security is a user id of someone in the role group.

    • Our Management realm section is as below
    <security-realms>
        <security-realm name="ManagementRealm">
            <authentication>
                <ldap connection="ldap_connection" base-dn="CN=users,DC=domain1,DC=winldap,DC=loc,DC=example,DC=com" recursive="true">
                </ldap>
            </authentication>
        </security-realm>

  • In EAP 5.x when application is secured with ldap using the application policy in $JBOSS_HOME(EAP5)/server/conf/login-config.xml as specified below, the user with black password is allowed to login:-

<application-policy name="MyLdapSecurityDomain">
    <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
        <module-option name="java.naming.provider.url">ldap://10.10.10.10:389</module-option>
        <module-option name="bindDN">cn=testuser,cn=Users,dc=mydomain,dc=com</module-option>
        <module-option name="bindCredential">password</module-option>
        <module-option name="baseCtxDN">dc=mydomain,dc=com</module-option>
        <module-option name="baseFilter">(sAMAccountName={0})</module-option>
        <module-option name="rolesCtxDN">OU=JBoss_Middleware,DC=mydomain,DC=com</module-option>
        <module-option name="roleFilter">(member={1})</module-option>
        <module-option name="roleAttributeID">memberOf</module-option>
        <module-option name="roleAttributeIsDN">true</module-option>
        <module-option name="roleNameAttributeID">cn</module-option>
        <module-option name="roleRecursion">-1</module-option>
        <module-option name="searchScope">SUBTREE_SCOPE</module-option>
       </login-module>
    </authentication>
  • Is there a functionality in EAP to check if the user exist in the Active Directory then the user can enter whithout giving user or password?

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 6.0
    • 5.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content