You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Emmanuel Lecharny <el...@gmail.com> on 2008/06/09 21:59:29 UTC

Name/Password simple authentication error code

Hi,

while reviewing the whole authentication system, I discovered that if
you provide a wrong password to an existing user, you will get a
LdapAuthenticationException error, with a "Password not correct for
user 'blah'".

This is contracditory with RFC 4513 which says that if the password is
not valid for the DN, an InvalidCredentials error should be issued.
More important is the message, which gives a clear indication to the
user that the DN is correct, but its password is not the good one :
typically the wrong message to give to an attacker.

I think we have to change this portion of the code.

thoughts ?

-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com