[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HEADS UP: disclosing information on failed bind



Kurt D. Zeilenga wrote:

Currently, slapd(8) will disclose information useful
to an attacker on failed bind attempt, such as when
access is denied to the userPassword attribute.  This
is bad in that it confirms to the attacker that the
account is valid and the password cannot be cracked
(as access is denied).  It would be better if slapd(8)
always returned invalidCreditials on any error
occurring before successfully validating the
credentials.

If it always returned invalidCredentials, valuable diagnostic/ debugging information might be lost, so although the response should perhaps be invalidCredentials, logs should show that the root cause of the denial. Probably this is obvious, but I thought I'd say it anyway, just in case.

--

Richard L. Goerwitz III		   Email: Richard.Goerwitz@Carleton.edu
Phone: +1 507 646 5526				   Fax: +1 507 646 4537
PGP key fingerprint: 4471 B6D3 57CC B2DC A0CF  82D3 0B7D EA19 F425 B0E0