You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Hans Lohmander (JIRA)" <ji...@apache.org> on 2007/07/14 00:03:06 UTC
[jira] Created: (DIRSERVER-997) Block search ability for
userPassword attribute
Block search ability for userPassword attribute
-----------------------------------------------
Key: DIRSERVER-997
URL: https://issues.apache.org/jira/browse/DIRSERVER-997
Project: Directory ApacheDS
Issue Type: Improvement
Environment: All
Reporter: Hans Lohmander
I entered this issue on request from the user list where this topic came up.
The userPassword should not be available for search,
else password fishing is possible.
If you are allowed to do a search like
$ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
it would render you all objects with the attribute userPassword equal to
"the secret password", which may not be such a good idea.
iPlanet DS 4.x allowed searches on ueserPassword attribute with
directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-997) Block search ability for
userPassword attribute
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Karasulu updated DIRSERVER-997:
------------------------------------
Fix Version/s: (was: 1.5.4)
1.5.5
Next release - we need to get 1.5.4 out fast.
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Affects Versions: 1.5.2, 1.5.1, 1.5.0, 1.0.2, 1.0.1, 1.0, 1.0-RC4, 1.0-RC3, 1.0-RC2, 1.0-RC1, pre-1.0
> Environment: All
> Reporter: Hans Lohmander
> Assignee: Emmanuel Lecharny
> Fix For: 1.5.5
>
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-997) Block search ability for
userPassword attribute
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Karasulu updated DIRSERVER-997:
------------------------------------
Priority: Major (was: Critical)
Affects Version/s: 1.5.2
1.5.1
1.0.2
1.0.1
1.0
1.0-RC4
1.0-RC3
1.0-RC2
1.0-RC1
pre-1.0
Fix Version/s: (was: 1.5.2)
1.5.3
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Affects Versions: 1.5.2, 1.5.1, 1.0.2, 1.0.1, 1.5.0, 1.0, 1.0-RC4, 1.0-RC3, 1.0-RC2, 1.0-RC1, pre-1.0
> Environment: All
> Reporter: Hans Lohmander
> Fix For: 1.5.3
>
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-997) Block search ability for
userPassword attribute
Posted by "Ersin Er (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12512638 ]
Ersin Er commented on DIRSERVER-997:
------------------------------------
Well, although I think you do not refer to this issue can also be considered with one of our existing issues: DIRSERVER-955. If you suppose that we fixed this issue, with appropriate configuration (the one I mentioned in the previous post) no one can use userPassword in a search filter not they can read values from that attribute. Such a search operation would need grantFilterMatch and grantRead permissions on userPassword attribute.
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Environment: All
> Reporter: Hans Lohmander
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-997) Block search ability for
userPassword attribute
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Karasulu updated DIRSERVER-997:
------------------------------------
Priority: Critical (was: Major)
This is a security issue that should be fixed quickly.
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Affects Versions: 1.5.0
> Environment: All
> Reporter: Hans Lohmander
> Priority: Critical
> Fix For: 1.5.2
>
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-997) Block search ability for
userPassword attribute
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Karasulu updated DIRSERVER-997:
------------------------------------
Fix Version/s: (was: 1.5.3)
1.5.4
Assignee: Emmanuel Lecharny
Looks like you got this on the roadmap.
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Affects Versions: 1.5.2, 1.5.1, 1.5.0, 1.0.2, 1.0.1, 1.0, 1.0-RC4, 1.0-RC3, 1.0-RC2, 1.0-RC1, pre-1.0
> Environment: All
> Reporter: Hans Lohmander
> Assignee: Emmanuel Lecharny
> Fix For: 1.5.4
>
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-997) Block search ability for
userPassword attribute
Posted by "Ersin Er (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12512635 ]
Ersin Er commented on DIRSERVER-997:
------------------------------------
Hans, this is related to how you configure Authorization. You can deny users for doing anything with passwords if you want. I don't think this is an issue to be fixed. It can just be done via configuration. You may have a look at:
http://cwiki.apache.org/confluence/display/DIRxSBOX/Draft+-+ACI+Based+Access+Control+-+Step+by+Step+Guide
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Environment: All
> Reporter: Hans Lohmander
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-997) Block search ability for
userPassword attribute
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSERVER-997:
----------------------------------------
Affects Version/s: 1.5.0
Fix Version/s: 1.5.2
To be fixed in the next release
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Affects Versions: 1.5.0
> Environment: All
> Reporter: Hans Lohmander
> Fix For: 1.5.2
>
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-997) Block search ability for
userPassword attribute
Posted by "Hans Lohmander (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12512690 ]
Hans Lohmander commented on DIRSERVER-997:
------------------------------------------
Yes, the issue DIRSERVER-955 would handle this and more. Then it comes down to a sensible default configuration for the userPassword attribute.
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Environment: All
> Reporter: Hans Lohmander
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-997) Block search ability for
userPassword attribute
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12650090#action_12650090 ]
Emmanuel Lecharny commented on DIRSERVER-997:
---------------------------------------------
I have added some code into the place where we build the responses : if the userPassword is present, and if the server does not allow this userPassword to be exposed, then the attribute is removed from the response.
i think this is a mid-term solution which is pretty easy to implement.
However, we need to add a flag in the server configuration to tell the server to hide the password.(or it can be the default, and then we need a flag to tell the server to expose the password...)
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Affects Versions: 1.5.2, 1.5.1, 1.5.0, 1.0.2, 1.0.1, 1.0, 1.0-RC4, 1.0-RC3, 1.0-RC2, 1.0-RC1, pre-1.0
> Environment: All
> Reporter: Hans Lohmander
> Assignee: Emmanuel Lecharny
> Fix For: 1.5.5
>
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-997) Block search ability for
userPassword attribute
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSERVER-997:
----------------------------------------
Fix Version/s: (was: 1.5.5)
2.0.0-RC1
Postponed to 2.0.0-RC1
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Affects Versions: 1.5.2, 1.5.1, 1.5.0, 1.0.2, 1.0.1, 1.0, 1.0-RC4, 1.0-RC3, 1.0-RC2, 1.0-RC1, pre-1.0
> Environment: All
> Reporter: Hans Lohmander
> Assignee: Emmanuel Lecharny
> Fix For: 2.0.0-RC1
>
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-997) Block search ability for
userPassword attribute
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12522505 ]
Emmanuel Lecharny commented on DIRSERVER-997:
---------------------------------------------
We need to add some documentation, and also to add the proposed configuration as a default value in the server.
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Affects Versions: 1.5.0
> Environment: All
> Reporter: Hans Lohmander
> Fix For: 1.5.2
>
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-997) Block search ability for
userPassword attribute
Posted by "Ersin Er (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12522710 ]
Ersin Er commented on DIRSERVER-997:
------------------------------------
Well, we can handle this in DefaultAuthorizationService I think. It can be a hardcoded check as no one will want to allow such a search.
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Affects Versions: 1.5.0
> Environment: All
> Reporter: Hans Lohmander
> Priority: Critical
> Fix For: 1.5.2
>
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.