Bug #2307

LDAP auth authenticates with any password to Active Directory

Added by Javi Fontan over 7 years ago. Updated over 7 years ago.

Status:ClosedStart date:09/06/2013
Priority:NormalDue date:
Assignee:Javi Fontan% Done:

0%

Category:Drivers - Auth
Target version:Release 4.4
Resolution:worksforme Pull request:
Affected Versions:OpenNebula 4.2

Description

From mailing list (Andreas Calvo Gómez, http://lists.opennebula.org/pipermail/users-opennebula.org/2013-August/024350.html)

I've encountered a strange behavior while trying to configure ONE to authenticate against an AD, either as a proper AD or as a LDAP.
If a credential is used to query LDAP and retrieve the complete DN for the user that wants to login, then no matter what password the user has typed it will be listed as authenticated.

ldap_auth.conf example:
server 1:
:user: ''
:password: 'mypassword'
:auth_method: :simple
:host: ad.mydomain.com
:port: 389
:base: 'dc=mydomain,dc=com'
:user_field: 'sAMAccountName'
:order:
- server 1

If I manually query the authenticate process with a made up password and secret, it is always listed as authenticated.

For instance:
oneadmin@opennebula:~$ ./remotes/auth/default/authenticate myuser badpassword badpassword
Trying server server 1
ldap myuser CN=myuser,CN=Users,DC=mydomain,DC=com

My guess is that the same user that is used to look up users, performs the authenticate method and always returns a valid user.

History

#1 Updated by Andreas Calvo over 7 years ago

OpenNebula version is 4.2.0

#2 Updated by Ruben S. Montero over 7 years ago

  • Target version set to Release 4.4

#3 Updated by Javi Fontan over 7 years ago

I am not able to reproduce this problem. When a password is not correct the user cannot authenticate.

Are the drivers changed in any way?

#4 Updated by Javi Fontan over 7 years ago

  • Status changed from Pending to Closed
  • Resolution set to worksforme

Also available in: Atom PDF