directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny" <elecha...@gmail.com>
Subject I was wrong, was : Name/Password simple authentication error code
Date Mon, 09 Jun 2008 21:05:41 GMT
Forget about the previous mail. The message is simply swallowed and
replaced by the correct message.

The inner message is just used for debugging purpose.

My bad...

On Mon, Jun 9, 2008 at 9:59 PM, Emmanuel Lecharny <elecharny@gmail.com> wrote:
> Hi,
>
> while reviewing the whole authentication system, I discovered that if
> you provide a wrong password to an existing user, you will get a
> LdapAuthenticationException error, with a "Password not correct for
> user 'blah'".
>
> This is contracditory with RFC 4513 which says that if the password is
> not valid for the DN, an InvalidCredentials error should be issued.
> More important is the message, which gives a clear indication to the
> user that the DN is correct, but its password is not the good one :
> typically the wrong message to give to an attacker.
>
> I think we have to change this portion of the code.
>
> thoughts ?
>
> --
> Regards,
> Cordialement,
> Emmanuel L├ęcharny
> www.iktek.com
>



-- 
Regards,
Cordialement,
Emmanuel L├ęcharny
www.iktek.com

Mime
View raw message