[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HEADS UP: disclosing information on failed bind

Kurt D. Zeilenga writes:
> Currently, slapd(8) will disclose information useful
> to an attacker on failed bind attempt, such as when
> access is denied to the userPassword attribute.  This
> is bad in that it confirms to the attacker that the
> account is valid and the password cannot be cracked
> (as access is denied).  It would be better if slapd(8)
> always returned invalidCreditials on any error
> occurring before successfully validating the
> credentials.

...except protocolError, timeLimitExceeded (a client control might
set a limit), authMethodNotSupported, maybe strongAuthRequired (not
sure if Bind can return that in order to request a stronger Bind),
adminLimitExceeded, unavailableCriticalExtension,
confidentialityRequired, maybe invalidDNSyntax for Simple Bind?,
busy, unavailable, maybe unwillingToPerform, maybe loopDetect (for
a chaining backend), and other:-)

Except for that, good idea.  Remember to nuke 'matchedDN' and too
informative 'diagnosticMessage's too, if they can occur.