[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3472) return code should be 32 when no access to object

Full_Name: Quanah Gibson-mount
Version: 2.2.20
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

This is a feature enhancement ITS.

Currently, when someone tries to access an entry that they do not have access
to, OpenLAP returns err=0.  If they try to access an an entry that doesn't
exist, they get err=32, no such object.

>From a security standpoint, I would assume that in the first case, the client
should really get err=32, no such object, to potentially prevent malicious
people from gathering what entry actually exist in your server.

Kind of an example on this, is stanford has its account tree, in the form:

uid=XXXX,cn=accounts,dc=stanford,dc=edu.  All UID's are emailable (uid=quanah,
quanah@stanford.edu), etc.  So the potential is there for an intelligent spammer
to test various uid=XXXX values and see whether they get err=32 or err=0, and
build up a list of valid accounts to spam.