[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HEADS UP: disclosing information on failed bind

To: openldap-devel@OpenLDAP.org
Subject: Re: HEADS UP: disclosing information on failed bind
From: "Richard L. Goerwitz III" <Richard.Goerwitz@Carleton.edu>
Date: Sun, 04 Apr 2004 17:10:07 -0500
Cc: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
In-reply-to: <6.0.1.1.0.20040404085632.048902e8@127.0.0.1>
Organization: Carleton College
References: <6.0.1.1.0.20040327072454.04de2510@127.0.0.1> <HBF.20040404uu17@bombur.uio.no> <6.0.1.1.0.20040404085632.048902e8@127.0.0.1>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040124

Kurt D. Zeilenga wrote:

Currently, slapd(8) will disclose information useful
to an attacker on failed bind attempt, such as when
access is denied to the userPassword attribute.  This
is bad in that it confirms to the attacker that the
account is valid and the password cannot be cracked
(as access is denied).  It would be better if slapd(8)
always returned invalidCreditials on any error
occurring before successfully validating the
credentials.


If it always returned invalidCredentials, valuable diagnostic/
debugging information might be lost, so although the response
should perhaps be invalidCredentials, logs should show that the
root cause of the denial.  Probably this is obvious, but I
thought I'd say it anyway, just in case.

--

Richard L. Goerwitz III		   Email: Richard.Goerwitz@Carleton.edu
Phone: +1 507 646 5526				   Fax: +1 507 646 4537
PGP key fingerprint: 4471 B6D3 57CC B2DC A0CF  82D3 0B7D EA19 F425 B0E0

References:
- Re: HEADS UP: disclosing information on failed bind
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: HEADS UP: disclosing information on failed bind
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: back-config again
Next by Date: RE: checking for bound user
Index(es):
- Chronological
- Thread