You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2010/06/02 01:43:41 UTC

[jira] Resolved: (DIRSERVER-640) bring error hints from CustomAuthenticators extending AbstractAuthenticator back to the client.

     [ https://issues.apache.org/jira/browse/DIRSERVER-640?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emmanuel Lecharny resolved DIRSERVER-640.
-----------------------------------------

    Resolution: Won't Fix

Providing more information is a potential security breach. Enough to say that the authent failed, no need to tell the user why (ie, if we tell him that the credentials are not correct, then that implies the user name exists)

> bring error hints from CustomAuthenticators extending AbstractAuthenticator back to the client.
> -----------------------------------------------------------------------------------------------
>
>                 Key: DIRSERVER-640
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-640
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>          Components: ldap
>    Affects Versions: 1.0-RC3
>         Environment: windows/linux
>            Reporter: Ralf Hauser
>             Fix For: 2.0.0-RC1
>
>         Attachments: AuthenticationService.java.patch
>
>
> For the authentication, I use a CustomAuthenticator that extends AbstractAuthenticator.
> If the authentication fails I use LdapAuthenticationException or LdapNoPermissionException and I appreciate a lot to be able to provide some hint (String explanation) why the exception was thrown.
> Unfortunately, this hint never reaches the client. I only sees "error code 49 - Bind failed" - the equivalent is visible in the server log as
> <<Ldap Result
>             Result code : (ResultCodeEnum[INVALIDCREDENTIALS=49]) invalidCredentials
>             Matched DN : 'null'
>             Error message : 'Bind failed'>>
> It appears that the culprit is org.apache.directory.server.core.authn.AuthenticationService.bind(NextInterceptor next, Name bindDn, byte[] credentials, List mechanisms, String saslAuthId) throws NamingException
>  where that expception is caught, neither its class is analyzed in detail nor is there any attempt to use "explanations" when re-throwing even though an LdapAuthenticationException constructor does exist that takes a "msg" for explanations.
> Therefore my suggestion: please make sure that it is possible to provide a user more information by optionally appending an "explantion" to the 'Bind failed' a client currently sees in an ldap client.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.