[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HEADS UP: disclosing information on failed bind

At 11:10 PM 4/3/2004, Hallvard B Furuseth wrote:
>Kurt D. Zeilenga writes:
>> Currently, slapd(8) will disclose information useful
>> to an attacker on failed bind attempt, such as when
>> access is denied to the userPassword attribute.  This
>> is bad in that it confirms to the attacker that the
>> account is valid and the password cannot be cracked
>> (as access is denied).  It would be better if slapd(8)
>> always returned invalidCreditials on any error
>> occurring before successfully validating the
>> credentials.

Yes.  By "any error" I meant any error that would
inappropriately disclose useful information about the
(in)validity the credentials.