You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Stefan Seelmann <se...@apache.org> on 2009/02/27 18:11:43 UTC

Re: svn commit: r748560 - /directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/BindHandler.java

elecharny@apache.org wrote:
> 
> URL: http://svn.apache.org/viewvc?rev=748560&view=rev
> Log:
> Fixed an error message. If the PrincipalDN was not found, the server sent back a Referral error. Not very cool ...
> ...
> +                result.setErrorMessage( "Bind principalDn has not
> been found in the server." );

Hm, a potential attacker gets useful information that the DN doesn't
exist. Maybe it is better to return the same error message as if the
password is wrong?

49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user
uid=admin,ou=system

On the other hand, for debugging is is better to get the real cause...

Kind Regards,
Stefan

Re: svn commit: r748560 - /directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/BindHandler.java

Posted by Felix Knecht <fe...@apache.org>.

Or have in both cases the message

result.setErrorMessage( "Bind principalDn has not been found in the server or could not be authenticated." );


Emmanuel Lecharny schrieb:
> Stefan Seelmann wrote:
>> elecharny@apache.org wrote:
>>  
>>> URL: http://svn.apache.org/viewvc?rev=748560&view=rev
>>> Log:
>>> Fixed an error message. If the PrincipalDN was not found, the server 
>>> sent back a Referral error. Not very cool ...
>>> ...
>>> +                result.setErrorMessage( "Bind principalDn has not
>>> been found in the server." );
>>>     
>>
>> Hm, a potential attacker gets useful information that the DN doesn't
>> exist. Maybe it is better to return the same error message as if the
>> password is wrong?
>>
>> 49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user
>> uid=admin,ou=system
>>
>> On the other hand, for debugging is is better to get the real cause...
>>   
> Oops, you are right !
> 
> We can still log the correct error message, but return a simple message.
> 
>>   
> 
>

Re: svn commit: r748560 - /directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/BindHandler.java

Posted by Emmanuel Lecharny <el...@apache.org>.

Stefan Seelmann wrote:
> elecharny@apache.org wrote:
>   
>> URL: http://svn.apache.org/viewvc?rev=748560&view=rev
>> Log:
>> Fixed an error message. If the PrincipalDN was not found, the server sent back a Referral error. Not very cool ...
>> ...
>> +                result.setErrorMessage( "Bind principalDn has not
>> been found in the server." );
>>     
>
> Hm, a potential attacker gets useful information that the DN doesn't
> exist. Maybe it is better to return the same error message as if the
> password is wrong?
>
> 49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user
> uid=admin,ou=system
>
> On the other hand, for debugging is is better to get the real cause...
>   
Oops, you are right !

We can still log the correct error message, but return a simple message.

>   


-- 
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org