[Date Prev][Date Next] [Chronological] [Thread] [Top]

HEADS UP: disclosing information on failed bind

Currently, slapd(8) will disclose information useful
to an attacker on failed bind attempt, such as when
access is denied to the userPassword attribute.  This
is bad in that it confirms to the attacker that the
account is valid and the password cannot be cracked
(as access is denied).  It would be better if slapd(8)
always returned invalidCreditials on any error
occurring before successfully validating the
credentials.  I intend to make such changes to back-bdb
and back-ldbm soon.  Concerns?