[Date Prev][Date Next] [Chronological] [Thread] [Top]

HEADS UP: disclosing information on failed bind

To: openldap-devel@OpenLDAP.org
Subject: HEADS UP: disclosing information on failed bind
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 27 Mar 2004 07:29:08 -0800

Currently, slapd(8) will disclose information useful
to an attacker on failed bind attempt, such as when
access is denied to the userPassword attribute.  This
is bad in that it confirms to the attacker that the
account is valid and the password cannot be cracked
(as access is denied).  It would be better if slapd(8)
always returned invalidCreditials on any error
occurring before successfully validating the
credentials.  I intend to make such changes to back-bdb
and back-ldbm soon.  Concerns?

Kurt

Prev by Date: Re: HEADS UP: -llber/-lldap sonames changes
Next by Date: ITS #2899 - NS-MTA-MD5 password hashing
Index(es):
- Chronological
- Thread