Stefan Seelmann wrote:
[email protected] wrote:
URL: http://svn.apache.org/viewvc?rev=748560&view=rev
Log:
Fixed an error message. If the PrincipalDN was not found, the server sent back
a Referral error. Not very cool ...
...
+ result.setErrorMessage( "Bind principalDn has not
been found in the server." );
Hm, a potential attacker gets useful information that the DN doesn't
exist. Maybe it is better to return the same error message as if the
password is wrong?
49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user
uid=admin,ou=system
On the other hand, for debugging is is better to get the real cause...
Oops, you are right !
We can still log the correct error message, but return a simple message.
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
