[jira] [Reopened] (DIRSERVER-997) Block search ability for userPassword attribute

["Emmanuel Lecharny (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emmanuel Lecharny reopened DIRSERVER-997:
-----------------------------------------


Please do *not* close issue you don't own, especially if the issue is still present !
                
> Block search ability for userPassword attribute
> -----------------------------------------------
>
>                 Key: DIRSERVER-997
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-997
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>    Affects Versions: pre-1.0, 1.0-RC1, 1.0-RC2, 1.0-RC3, 1.0-RC4, 1.0, 1.0.1, 1.0.2, 1.5.0, 1.5.1, 1.5.2
>         Environment: All
>            Reporter: Hans Lohmander
>            Assignee: Emmanuel Lecharny
>             Fix For: 2.0.0-M8, 2.0.0-RC1
>
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira