[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HEADS UP: disclosing information on failed bind

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: HEADS UP: disclosing information on failed bind
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 04 Apr 2004 09:01:22 -0700
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <HBF.20040404uu17@bombur.uio.no>
References: <6.0.1.1.0.20040327072454.04de2510@127.0.0.1> <HBF.20040404uu17@bombur.uio.no>

At 11:10 PM 4/3/2004, Hallvard B Furuseth wrote:
>Kurt D. Zeilenga writes:
>> Currently, slapd(8) will disclose information useful
>> to an attacker on failed bind attempt, such as when
>> access is denied to the userPassword attribute.  This
>> is bad in that it confirms to the attacker that the
>> account is valid and the password cannot be cracked
>> (as access is denied).  It would be better if slapd(8)
>> always returned invalidCreditials on any error
>> occurring before successfully validating the
>> credentials.
>
>...except

Yes.  By "any error" I meant any error that would
inappropriately disclose useful information about the
(in)validity the credentials.

Kurt

Follow-Ups:
- Re: HEADS UP: disclosing information on failed bind
  - From: "Richard L. Goerwitz III" <Richard.Goerwitz@Carleton.edu>

References:
- Re: HEADS UP: disclosing information on failed bind
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: back-config again
Next by Date: Re: back-config again
Index(es):
- Chronological
- Thread