Or have in both cases the message
result.setErrorMessage( "Bind principalDn has not been found in the server or could
not be authenticated." );
Emmanuel Lecharny schrieb:
Stefan Seelmann wrote:
[email protected] wrote:
URL: http://svn.apache.org/viewvc?rev=748560&view=rev
Log:
Fixed an error message. If the PrincipalDN was not found, the server
sent back a Referral error. Not very cool ...
...
+ result.setErrorMessage( "Bind principalDn has not
been found in the server." );
Hm, a potential attacker gets useful information that the DN doesn't
exist. Maybe it is better to return the same error message as if the
password is wrong?
49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user
uid=admin,ou=system
On the other hand, for debugging is is better to get the real cause...
Oops, you are right !
We can still log the correct error message, but return a simple message.
