Allows to login with any password in some scenarios with LDAP
Description
One user has reported, that when setup with Apple Open Directory (LDAP) Openfire allows logging in with any password. Another user reports same issue with OpenLDAP with certain conditions:
The setup:
Openfire 4.2.3 (The corresponding code was not changed in the master) OpenLDAP (Anonymous Login enabled)
Steps to Reproduce:
set up OpenLDAP server (with users and user groups and a login for the Openfire server). Allow Anonymous Login.
activate StartTLS with an SSL certificate that does not match the hostname.
set up Openfire with LDAP connection to OpenLDAP (activate StartTLS).
What happens:
certificate validation fails at LdapManager.java#L716 (javax.net.ssl.SSLPeerUnverifiedException: hostname of the server ‘XXXXXXXXXXXX’ does not match the hostname in the server’s certificate.)
LdapManager.java#L737 should actually throw an exception, but it doesn’t, since the context is valid for anonymous login. This will cause the user to be logged in.
For our concrete problem it helped to disable the anonymous login in the OpenLDAP server (incorrectly configured). In addition, the certificate for the LDAP server had to contain the common name and the alternative name of the host name of the server. However, it should not be possible for such a misconfiguration to cause the fallback to make it possible to log in with any password. With ApacheDirectoryServer we could not reproduce the problem. We think it is because OpenLDAP does not require you to set “env.put(Context.SECURITY_AUTHENTICATION, “none”);” for the anonymous login, ApacheDirectoryServer does.
One user has reported, that when setup with Apple Open Directory (LDAP) Openfire allows logging in with any password. Another user reports same issue with OpenLDAP with certain conditions:
The setup:
Openfire 4.2.3 (The corresponding code was not changed in the master)
OpenLDAP (Anonymous Login enabled)
Steps to Reproduce:
set up OpenLDAP server (with users and user groups and a login for the Openfire server). Allow Anonymous Login.
activate StartTLS with an SSL certificate that does not match the hostname.
set up Openfire with LDAP connection to OpenLDAP (activate StartTLS).
What happens:
certificate validation fails at LdapManager.java#L716 (javax.net.ssl.SSLPeerUnverifiedException: hostname of the server ‘XXXXXXXXXXXX’ does not match the hostname in the server’s certificate.)
the username and password are not set at LdapManager.java#L727
the exception is intercepted and logged at LdapManager.java#L733
LdapManager.java#L737 should actually throw an exception, but it doesn’t, since the context is valid for anonymous login. This will cause the user to be logged in.
Possible solution:
do not catch LdapManager.java#L732
do not catch LdapManager.java#L823
do not catch LdapManager.java#L623
For our concrete problem it helped to disable the anonymous login in the OpenLDAP server (incorrectly configured). In addition, the certificate for the LDAP server had to contain the common name and the alternative name of the host name of the server.
However, it should not be possible for such a misconfiguration to cause the fallback to make it possible to log in with any password.
With ApacheDirectoryServer we could not reproduce the problem. We think it is because OpenLDAP does not require you to set “env.put(Context.SECURITY_AUTHENTICATION, “none”);” for the anonymous login, ApacheDirectoryServer does.
Logs: