Affects Version/s: Grails-Spring-Security-LDAP 1.0
Fix Version/s: None
Environment:Ubuntu 10.10 server, JDK 1.6, Oracle XE db, Windows 2000 Active Directory, Grails 1.3.7 spring-security-core1.2.1, spring-security-ldap1.0.5
I used the settings below. The password column is filled in the database with senseful values so I could turn of LDAP authentication any time. But the side effect is, that it is possible to get through the login screen by EITHER entering the password defined in the Active Directory for the user OR by entering the password encoded in the password column of the SysAuthUser table in the database!
Assuming that I am not the only one that might switch to using the LDAP plugin after using the database-only approach for a while, this is a security implication.
If I turn on LDAP authentication there MUST only be one password allowed and that is the password defined in the ldap.
I realize that the mechanism is that if I enter the password defined in the database, the principal is org.codehaus.groovy.grails.plugins.springsecurity.GrailsUser and if I enter the password used in the ldap, the principal org.springframework.security.ldap.userdetails.LdapUserDetailsImpl.
But it looks wrong to me. A solution would be to set the passwords in the database to a non-zero-length string, that will never be matched by a md5-hash. But that should be documented.
If it is, I overlooked, sorry.
grails.plugins.springsecurity.ldap.context.managerDn = 'CN=xxxx,CN=Users,DC=xxxx,DC=xxxx'
grails.plugins.springsecurity.ldap.context.managerPassword = ''
grails.plugins.springsecurity.ldap.context.server = 'ldap://xxxx:389'
grails.plugins.springsecurity.ldap.authorities.groupSearchBase = 'CN=Users,DC=xxxx,DC=xxxx'
grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = 'member=
grails.plugins.springsecurity.ldap.search.base = 'CN=Users,DC=xxxx,DC=xxxx'
" // for Active Directory you need this
grails.plugins.springsecurity.ldap.useRememberMe = false
grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException = true // typically needed for Active Directory
grails.plugins.springsecurity.ldap.authorities.retrieveDatabaseRoles = true