[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Substring Indexes on userPassword Attribute



> And quite right too! You really don't want to make it any easier for an
> attacker to search for weak passwords.

*sigh*

I dislike misguided attempts at making things harder for attackers. If
an attacker already has access to your userPassword field, then they
can do exactly the same procedure that you proposed I do to extract
that information. This sort of "security feature" doesn't make it
substantively harder for attackers. It makes it irritating for systems
administrators. Yes, I *could* write a script to do what you propose.
But, I have a database engine that I ought to be able to query to give
me the information I need, and I don't want to have to write a script
every time I need to query information from a handful of special
attributes while not having to do so to search by last name or
whatever.

At the very least, this ought to be an option. I can see not making a
search index on userPassword by default, but as a system administrator
I ought to be able to make that decision for myself. I don't need a
person who has absolutely no context about my situation telling me
that I can't use my copy of the software to do something I want to do
with my data.

Also, why are there some other things that can't be searched via
substring (like homeDirectory)? What if I want to know which users are
using bash because we're thinking about upgrading it and want to
notify those users? Or what if I want to know which users are using
/usr/local/bin/bash instead of /bin/bash so that I can update the
database to be consistent?

--

Tim Gustafson
tjg@ucsc.edu
831-459-5354
Baskin Engineering, Room 313A