Skip to content

Commit

Permalink
[FIXED JENKINS-13595] when attempting anonymous bind, don't specify t…
Browse files Browse the repository at this point in the history 
…he user name.

If AD is configured not to allow anonymous bind, it'll be recorded as a failed login attempt, and depending on the security policy in question, it can lock the user out.
  • Loading branch information
@kohsuke
kohsuke committed Apr 26, 2012
1 parent feef048 commit 1c4d2ee
Showing 1 changed file with 13 additions and 4 deletions.
17 changes: 13 additions & 4 deletions src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
View file
Expand Up @@ -409,11 +409,20 @@ private LdapContext bind(String principalName, String password, SocketInfo serve
}
}

// authenticate after upgrading to TLS, so that the credential won't go in clear text
context.addToEnvironment(Context.SECURITY_PRINCIPAL, principalName);
context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
if (principalName==null || password==null || password.equals("")) {
// anonymous bind. LDAP uses empty password as a signal to anonymous bind (RFC 2829 5.1),
// which means it can never be the actual user password.
context.addToEnvironment(Context.SECURITY_AUTHENTICATION, "none");
} else {
// authenticate after upgrading to TLS, so that the credential won't go in clear text
context.addToEnvironment(Context.SECURITY_PRINCIPAL, principalName);
context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
}

// this is supposed to cause the LDAP bind operation with the server,
// but I notice that AD may still accept this and yet fail to search later
// but I notice that AD may still accept this and yet fail to search later,
// when I tried anonymous bind.
// if I do specify a wrong credential, this seems to fail.
context.reconnect(null);

return context; // worked
Expand Down

0 comments on commit 1c4d2ee

Please sign in to comment.