directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@apache.org>
Subject Re: svn commit: r748560 - /directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/BindHandler.java
Date Fri, 27 Feb 2009 17:26:28 GMT
Stefan Seelmann wrote:
> elecharny@apache.org wrote:
>   
>> URL: http://svn.apache.org/viewvc?rev=748560&view=rev
>> Log:
>> Fixed an error message. If the PrincipalDN was not found, the server sent back a
Referral error. Not very cool ...
>> ...
>> +                result.setErrorMessage( "Bind principalDn has not
>> been found in the server." );
>>     
>
> Hm, a potential attacker gets useful information that the DN doesn't
> exist. Maybe it is better to return the same error message as if the
> password is wrong?
>
> 49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user
> uid=admin,ou=system
>
> On the other hand, for debugging is is better to get the real cause...
>   
Oops, you are right !

We can still log the correct error message, but return a simple message.

>   


-- 
--
cordialement, regards,
Emmanuel L├ęcharny
www.iktek.com
directory.apache.org



Mime
View raw message