[email protected] wrote: > > URL: http://svn.apache.org/viewvc?rev=748560&view=rev > Log: > Fixed an error message. If the PrincipalDN was not found, the server sent > back a Referral error. Not very cool ... > ... > + result.setErrorMessage( "Bind principalDn has not > been found in the server." );
Hm, a potential attacker gets useful information that the DN doesn't exist. Maybe it is better to return the same error message as if the password is wrong? 49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user uid=admin,ou=system On the other hand, for debugging is is better to get the real cause... Kind Regards, Stefan
