directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Changing logging level
Date Wed, 23 Jul 2014 16:11:08 GMT
Le 23/07/2014 18:00, Maxim Solodovnik a écrit :
> MessageType : BIND_REQUEST
> Message ID : 1
>     BindRequest
>         Version : '3'
>         Name : 'CN=binduser,OU=YXZ,OU=Users,DC=company,DC=com'
>         Simple authentication : '*password*/hash value'
>
> "*password*" is actually plain text password


Ahhh, crap !!!

In the BindRequestImpl class we do :

            if ( isSimple )
            {
                sb.append( "        Simple authentication : '" ).append(
Strings.utf8ToString( credentials ) )
                    .append( '/' ).append( Strings.dumpBytes(
credentials ) ).append( "'\n" );
            }
            else
            {
                sb.append( "        Sasl credentials\n" );
                sb.append( "            Mechanism :'" ).append(
mechanism ).append( "'\n" );

                if ( credentials == null )
                {
                    sb.append( "            Credentials : null" );
                }
                else
                {
                    sb.append( "            Credentials :
(omitted-for-safety)" );
                }

As you can see, when using SASL bind, we don't expose the password,
while we do in PLAIN text...

I'm going to fix that immediately
(https://issues.apache.org/jira/browse/DIRAPI-197).

Many thanks !


Mime
View raw message