directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maxim Solodovnik <solomax...@gmail.com>
Subject Re: Changing logging level
Date Wed, 23 Jul 2014 16:13:53 GMT
Thanks :)


On 23 July 2014 23:11, Emmanuel Lécharny <elecharny@gmail.com> wrote:

> Le 23/07/2014 18:00, Maxim Solodovnik a écrit :
> > MessageType : BIND_REQUEST
> > Message ID : 1
> >     BindRequest
> >         Version : '3'
> >         Name : 'CN=binduser,OU=YXZ,OU=Users,DC=company,DC=com'
> >         Simple authentication : '*password*/hash value'
> >
> > "*password*" is actually plain text password
>
>
> Ahhh, crap !!!
>
> In the BindRequestImpl class we do :
>
>             if ( isSimple )
>             {
>                 sb.append( "        Simple authentication : '" ).append(
> Strings.utf8ToString( credentials ) )
>                     .append( '/' ).append( Strings.dumpBytes(
> credentials ) ).append( "'\n" );
>             }
>             else
>             {
>                 sb.append( "        Sasl credentials\n" );
>                 sb.append( "            Mechanism :'" ).append(
> mechanism ).append( "'\n" );
>
>                 if ( credentials == null )
>                 {
>                     sb.append( "            Credentials : null" );
>                 }
>                 else
>                 {
>                     sb.append( "            Credentials :
> (omitted-for-safety)" );
>                 }
>
> As you can see, when using SASL bind, we don't expose the password,
> while we do in PLAIN text...
>
> I'm going to fix that immediately
> (https://issues.apache.org/jira/browse/DIRAPI-197).
>
> Many thanks !
>
>


-- 
WBR
Maxim aka solomax

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message