directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hans Lohmander (JIRA)" <>
Subject [jira] Created: (DIRSERVER-997) Block search ability for userPassword attribute
Date Fri, 13 Jul 2007 22:03:06 GMT
Block search ability for userPassword attribute

                 Key: DIRSERVER-997
             Project: Directory ApacheDS
          Issue Type: Improvement
         Environment: All
            Reporter: Hans Lohmander

I entered this issue on request from the user list where this topic came up.

The userPassword should not be available for search,
else password fishing is possible.

If you are allowed to do a search like
$ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"'
it would render you all objects with the attribute userPassword equal to
"the secret password", which may not be such a good idea.

iPlanet DS 4.x allowed searches on ueserPassword attribute with
directory manager privs I found out. 

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message