[
https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12650090#action_12650090
]
Emmanuel Lecharny commented on DIRSERVER-997:
---------------------------------------------
I have added some code into the place where we build the responses : if the
userPassword is present, and if the server does not allow this userPassword to
be exposed, then the attribute is removed from the response.
i think this is a mid-term solution which is pretty easy to implement.
However, we need to add a flag in the server configuration to tell the server
to hide the password.(or it can be the default, and then we need a flag to tell
the server to expose the password...)
> Block search ability for userPassword attribute
> -----------------------------------------------
>
> Key: DIRSERVER-997
> URL: https://issues.apache.org/jira/browse/DIRSERVER-997
> Project: Directory ApacheDS
> Issue Type: Improvement
> Affects Versions: 1.5.2, 1.5.1, 1.5.0, 1.0.2, 1.0.1, 1.0, 1.0-RC4,
> 1.0-RC3, 1.0-RC2, 1.0-RC1, pre-1.0
> Environment: All
> Reporter: Hans Lohmander
> Assignee: Emmanuel Lecharny
> Fix For: 1.5.5
>
>
> I entered this issue on request from the user list where this topic came up.
> The userPassword should not be available for search,
> else password fishing is possible.
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub
> 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs I found out.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
