[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HEADS UP: disclosing information on failed bind

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: HEADS UP: disclosing information on failed bind
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Sun, 4 Apr 2004 09:10:35 +0200
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <6.0.1.1.0.20040327072454.04de2510@127.0.0.1>
References: <6.0.1.1.0.20040327072454.04de2510@127.0.0.1>

Kurt D. Zeilenga writes:
> Currently, slapd(8) will disclose information useful
> to an attacker on failed bind attempt, such as when
> access is denied to the userPassword attribute.  This
> is bad in that it confirms to the attacker that the
> account is valid and the password cannot be cracked
> (as access is denied).  It would be better if slapd(8)
> always returned invalidCreditials on any error
> occurring before successfully validating the
> credentials.

...except protocolError, timeLimitExceeded (a client control might
set a limit), authMethodNotSupported, maybe strongAuthRequired (not
sure if Bind can return that in order to request a stronger Bind),
adminLimitExceeded, unavailableCriticalExtension,
confidentialityRequired, maybe invalidDNSyntax for Simple Bind?,
busy, unavailable, maybe unwillingToPerform, maybe loopDetect (for
a chaining backend), and other:-)

Except for that, good idea.  Remember to nuke 'matchedDN' and too
informative 'diagnosticMessage's too, if they can occur.

-- 
Hallvard

Follow-Ups:
- Re: HEADS UP: disclosing information on failed bind
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: Proxycache Documentation - again , . . . .
Next by Date: Re: back-config again
Index(es):
- Chronological
- Thread