LdapLoginModule bug or intention?
Martin Goldhahn
martin.goldhahn at uis.no
Mon Dec 10 13:05:29 UTC 2012
I have the following login config to get UserPrincipals for groups:
COMBI {
com.sun.security.auth.module.LdapLoginModule REQUIRED
debug="true"
userProvider="ldaps://ad01.uis.no/dc=uis,dc=no"
userFilter="(&(sAMAccountName={USERNAME})(objectClass=user))"
java.naming.security.principal="AD_DN"
java.naming.security.credentials="PASSWORD"
storePass="true"
;
com.sun.security.auth.module.LdapLoginModule OPTIONAL
debug="true"
userProvider="ldaps://ad01.uis.no/dc=uis,dc=no"
userFilter="(&(sAMAccountName={USERNAME})(objectClass=user)(memberOf=CN=Solr-Admin,OU=ServiceGroup,OU=Operation,OU=UIS,DC=uis,DC=no))"
authzIdentity="SolrAdmin"
java.naming.security.principal="AD_DN"
java.naming.security.credentials="PASSWORD"
useFirstPass="true"
;
com.sun.security.auth.module.LdapLoginModule OPTIONAL
debug="true"
userProvider="ldaps://ad01.uis.no/dc=uis,dc=no"
userFilter="(&(sAMAccountName={USERNAME})(objectClass=user)(memberOf=CN=FullServerAdmin_Utvikling,OU=AdminGroups,OU=Administration,DC=uis,DC=no))"
authzIdentity="ServerAdmin"
java.naming.security.principal="AD_DN"
java.naming.security.credentials="PASSWORD"
useFirstPass="true"
;
};
The first component succeeds, the second fails (due to the filter returning nothing), the third is supposed to succeed, but fails.
The reason is that the sharedState's password is cleared, even though clearPass is false (https://github.com/openjdk-mirror/jdk7u-jdk/blob/master/src/share/classes/com/sun/security/auth/module/LdapLoginModule.java#L1000)
Should it be
username=null;
if (clearPass) {
Arrays.fill(password, ' ');
}
password = null;
OR is this by design?
--
Martin
More information about the security-dev
mailing list