directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Knecht <fel...@apache.org>
Subject Re: svn commit: r748560 - /directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/BindHandler.java
Date Fri, 27 Feb 2009 17:28:58 GMT
Or have in both cases the message

result.setErrorMessage( "Bind principalDn has not been found in the server or could not be
authenticated." );


Emmanuel Lecharny schrieb:
> Stefan Seelmann wrote:
>> elecharny@apache.org wrote:
>>  
>>> URL: http://svn.apache.org/viewvc?rev=748560&view=rev
>>> Log:
>>> Fixed an error message. If the PrincipalDN was not found, the server 
>>> sent back a Referral error. Not very cool ...
>>> ...
>>> +                result.setErrorMessage( "Bind principalDn has not
>>> been found in the server." );
>>>     
>>
>> Hm, a potential attacker gets useful information that the DN doesn't
>> exist. Maybe it is better to return the same error message as if the
>> password is wrong?
>>
>> 49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user
>> uid=admin,ou=system
>>
>> On the other hand, for debugging is is better to get the real cause...
>>   
> Oops, you are right !
> 
> We can still log the correct error message, but return a simple message.
> 
>>   
> 
> 


Mime
View raw message