You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Kiran Ayyagari (JIRA)" <ji...@apache.org> on 2015/04/01 08:49:52 UTC
[jira] [Commented] (DIRSERVER-2051) Getting Password Expired
Instead of Invalid Credentials
[ https://issues.apache.org/jira/browse/DIRSERVER-2051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14390093#comment-14390093 ]
Kiran Ayyagari commented on DIRSERVER-2051:
-------------------------------------------
[~dpaulsen] Do you see any security implication if the error message provides the reason "password expired" in the
error message?
I don't see any and IMO, it is informative to users without requiring to decode the passwordpolicy response control.
Also, note that the detail about why the login was unsuccessful is already present in the ppolicy response control
present in BindResponse.
> Getting Password Expired Instead of Invalid Credentials
> -------------------------------------------------------
>
> Key: DIRSERVER-2051
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2051
> Project: Directory ApacheDS
> Issue Type: Bug
> Reporter: David Paulsen
>
> When I log in with invalid credentials AND the password is expired, I
> would expect to get the invalid credentials error:
> LDAPException: Invalid Credentials (49) Invalid Credentials
> LDAPException: Server Message: INVALID_CREDENTIALS: Bind failed: ERR_229
> Cannot authenticate user
> uid=admin,ou=DJPS1,ou=DVHead,dc=kewilltransport,dc=com
> Instead I get the password expired error:
> LDAPException: Invalid Credentials (49) Invalid Credentials
> LDAPException: Server Message: INVALID_CREDENTIALS: Bind failed: paasword
> expired
> I would think we should get the invalid credentials error in that case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)