directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (Commented) (JIRA)" <>
Subject [jira] [Commented] (DIRKRB-29) Using randomKey creates a valid LDAP login
Date Wed, 19 Oct 2011 21:41:10 GMT


Emmanuel Lecharny commented on DIRKRB-29:

I would usually tell people saying that to get lost, but sadly, you are bloody right.

We had no time to focus on Kerberos, except last year when we spent almost three months fixing
the encoder/decoder, because they were just plan wrong.
Since then we are full tme on the server, and it's just killing us.

The class that handles this randomKey is the KeyDerivationInterceptor (
I don't know what it does, but I can find some time to get it fixed, if someone with a deeper
knowledge about Kerberos drives me.

Feel free to ping me, I have a lot on my plate but  can easily divert some time.

Thanks !
> Using randomKey creates a valid LDAP login
> ------------------------------------------
>                 Key: DIRKRB-29
>                 URL:
>             Project: Directory Kerberos
>          Issue Type: Bug
>    Affects Versions: 2.0.0
>            Reporter: Andreas Oberritter
>            Assignee: Emmanuel Lecharny
>             Fix For: 2.0.0
> Setting userPassword to "randomKey" triggers the generation of Kerberos keys. However,
"randomKey" also gets stored as the real LDAP users password. This creates accounts with easily
guessable DNs like uid=krbtgt,ou=people,dc=example,dc=com, which can be used to access the
LDAP server.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message