You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Ersin Er (JIRA)" <ji...@apache.org> on 2007/07/14 00:12:05 UTC
[jira] Commented: (DIRSERVER-997) Block search ability for
userPassword attribute
[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12512635 ]
Ersin Er commented on DIRSERVER-997:
------------------------------------
Hans, this is related to how you configure Authorization. You can deny users for doing anything with passwords if you want. I don't think this is an issue to be fixed. It can just be done via configuration. You may have a look at:
http://cwiki.apache.org/confluence/display/DIRxSBOX/Draft+-+ACI+Based+Access+Control+-+Step+by+Step+Guide
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Environment: All
> Reporter: Hans Lohmander
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.