From: Sonnek, R. <Rya...@bp...> - 2002-05-28 19:13:13
|
First of all, thank you so much for your help. We found that the problem was with the configuration of openLDAP allowing anonymous binding. The wierd thing is that we're using an LDAP module for Apache for a similar purpose, and Apache did not have any of these quirks. Thank you again for your time, and patience!!! Ryan Sonnek -----Original Message----- From: Scott M Stark [mailto:Sco...@jb...] Sent: Saturday, May 25, 2002 12:14 AM To: jbo...@li... Subject: Re: [JBoss-user] LdapLoginModule null password I added a testcase of sending a null password to the LdapLoginModule and it correctly fails to authenticate the user. Have you tried a simple JNDI test against your server to make sure it it not allowing this? If it does not create a simple war or ear the demonstrates the problem and post it as a bug to sourceforge. xxxxxxxxxxxxxxxxxxxxxxxx Scott Stark Chief Technology Officer JBoss Group, LLC xxxxxxxxxxxxxxxxxxxxxxxx ----- Original Message ----- From: "Sonnek, Ryan" <Rya...@bp...> To: <jbo...@li...> Sent: Friday, May 24, 2002 11:17 AM Subject: RE: [JBoss-user] LdapLoginModule null password > thanks for the reply, but taking out the principal and credentials from the > auth.conf file didn't change the outcome. when I hit a protected url, I'm > prompted for the username and password, and if I input my username with a > null password, it still let's me in. > > checking the jboss logs, i get this information when i first hit the url : > [DEBUG,LdapLoginModule] Bad password for username=null > which seems to mean that first it tries to access the resource as an > anonymous user, then if that fails, i'm prompted with the dialog box. > > using the jboss 2.4.4 documentation, page 261 says that the > java.naming.security.principal and java.naming.security.credentials > properties are allowed for authenticating the caller to the service. i > thought this was required if you're not allowing anonymous queries and > needed to bind as a user in order to authenticate with the desired username. > > > any other ideas on why this could be happening? > > -----Original Message----- > From: Scott M Stark [mailto:Sco...@jb...] > Sent: Friday, May 24, 2002 11:58 AM > To: jbo...@li... > Subject: Re: [JBoss-user] LdapLoginModule null password > > > Because you are supplying the credentials to use in the configuration. > Neither > > java.naming.security.principal="cn=admin,dc=mybpc,dc=net" > > java.naming.security.credentials="xxxxxx" > > should be in the configuration. These are generated based on the caller > principal and credentials, but if you sepecify them and then do not provide > this info you have defined a default login for everyone. Where in the docs > does it say to include these? > > xxxxxxxxxxxxxxxxxxxxxxxx > Scott Stark > Chief Technology Officer > JBoss Group, LLC > xxxxxxxxxxxxxxxxxxxxxxxx > _______________________________________________________________ > > Don't miss the 2002 Sprint PCS Application Developer's Conference > August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm > > _______________________________________________ > JBoss-user mailing list > JBo...@li... > https://lists.sourceforge.net/lists/listinfo/jboss-user > > _______________________________________________________________ > > Don't miss the 2002 Sprint PCS Application Developer's Conference > August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm > > _______________________________________________ > JBoss-user mailing list > JBo...@li... > https://lists.sourceforge.net/lists/listinfo/jboss-user > _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ JBoss-user mailing list JBo...@li... https://lists.sourceforge.net/lists/listinfo/jboss-user |