directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hans Lohmander (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DIRSERVER-997) Block search ability for userPassword attribute
Date Sat, 14 Jul 2007 08:41:04 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12512690
] 

Hans Lohmander commented on DIRSERVER-997:
------------------------------------------

Yes, the issue DIRSERVER-955 would handle this and more. Then it comes down to a sensible
default configuration for the userPassword attribute.



> Block search ability for userPassword attribute
> -----------------------------------------------
>
>                 Key: DIRSERVER-997
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-997
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>         Environment: All
>            Reporter: Hans Lohmander
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"'
dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message