directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <seelm...@apache.org>
Subject Re: svn commit: r748560 - /directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/BindHandler.java
Date Fri, 27 Feb 2009 17:11:43 GMT
elecharny@apache.org wrote:
> 
> URL: http://svn.apache.org/viewvc?rev=748560&view=rev
> Log:
> Fixed an error message. If the PrincipalDN was not found, the server sent back a Referral
error. Not very cool ...
> ...
> +                result.setErrorMessage( "Bind principalDn has not
> been found in the server." );

Hm, a potential attacker gets useful information that the DN doesn't
exist. Maybe it is better to return the same error message as if the
password is wrong?

49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user
uid=admin,ou=system

On the other hand, for debugging is is better to get the real cause...

Kind Regards,
Stefan


Mime
View raw message