[Issue 3586] New - LDAP Manager DN and password are REQUIRED (security risk)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Issue 3586] New - LDAP Manager DN and password are REQUIRED (security risk)

jesterfred
https://hudson.dev.java.net/issues/show_bug.cgi?id=3586
                 Issue #|3586
                 Summary|LDAP Manager DN and password are REQUIRED (security ri
                        |sk)
               Component|hudson
                 Version|current
                Platform|All
              OS/Version|Linux
                     URL|
                  Status|NEW
       Status whiteboard|
                Keywords|
              Resolution|
              Issue type|DEFECT
                Priority|P2
            Subcomponent|security
             Assigned to|issues@hudson
             Reported by|jesterfred






------- Additional comments from [hidden email] Tue Apr 28 15:14:12 +0000 2009 -------
Using the 1.301 Hudson war under glassfish v2 with LDAP enabled results in
Hudson supplying erroneous manager DN and manager password if these fields are
left blank.  When filling in the form all is well with the auto verification
that taks place while one is filing in the form.  However, after hitting the
save button, then coming back to the LDAP configuration area of the Manage
Hudson form, both the Manager DN and the Manager Password will have default
values.  The value are incorrect and seem to be drawn from the Authorization Matrix.

The net result is that I have to fill in correct values despite my LDAP
configuration not requiring BINDING prior to querying.

I tried placing correct values in those two fields and saving the form then
logging out then back in to make sure all is well then clearing those fields and
saving the form.  My intent was perhaps to reset some internal flag.  This did
not work.  The same erroneous values popped back into the form upon navigating
back to the form after having saved the form with the empty entries in those two
fields.

This is a security risk.  I do not want to have to supply the admin DN and password.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Issue 3586] LDAP Manager DN and password are REQUIRED (security risk)

remke-2
https://hudson.dev.java.net/issues/show_bug.cgi?id=3586






------- Additional comments from [hidden email] Fri Jul  3 08:46:38 +0000 2009 -------
I think I am experiencing the same issue in Hudson 1.313.

My setup is:
  <version>1.313</version>
  <numExecutors>2</numExecutors>
  <mode>NORMAL</mode>
  <useSecurity>true</useSecurity>
  <authorizationStrategy
class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy"/>
  <securityRealm class="hudson.security.LDAPSecurityRealm">
    <server>x.x.x.x</server>
    <rootDN>yyyyyy</rootDN>
    <userSearchBase></userSearchBase>
    <userSearch>cn={0}</userSearch>
  </securityRealm>

Now, I execute the following scenario:
- go to Hudson
- log in with a valid account
- go to 'Configure Hudson' (I have a Dutch version, I am not sure of the English
menu entry)
- go to 'Configure System'
- the page shows up, but in the LDAP section there is an error: Unable to
connect to 172.20.0.10: javax.naming.InvalidNameException: [LDAP: error code 34
- Invalid DN Syntax]
- I click on the 'Uitgebreid...' (Advanced...?) button in the LDAP section
- now the Manager DN field contains my login name and the manager password field
contains asterisks (probably representing my password), both fields also show
the same error: Unable to connect to 172.20.0.10:
javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN Syntax]

If I save the config page without changing the LDAP settings (possibly changing
other settings), my LDAP config becomes invalid and I cannot log back in. I then
need to manyally modify config.xml and restart hudson to make things work again.

If I save the config page after emptying the Manager DN and Manager
passwordsfields, everything works fine.

At the moment, my workaround is:
Whenever changing something on the 'Configure System'-page, make sure the
Manager DN and Manager password fields are emptied.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]