[
https://issues.apache.org/jira/browse/DIRKRB-29?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13131005#comment-13131005
]
Aaron J Angel commented on DIRKRB-29:
-------------------------------------
With respect, I think there's been plenty of time to fix this. It's been over
a year. This is a heinous security risk. Easily avoided by not using
'randomKey', but still it must be an easy fix.
If you really don't have time to fix this, a pointer in the right direction
would be nice. If I knew where to look, I might be able to produce a patch to
speed things up.
> Using randomKey creates a valid LDAP login
> ------------------------------------------
>
> Key: DIRKRB-29
> URL: https://issues.apache.org/jira/browse/DIRKRB-29
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 2.0.0
> Reporter: Andreas Oberritter
> Assignee: Emmanuel Lecharny
> Fix For: 2.0.0
>
>
> Setting userPassword to "randomKey" triggers the generation of Kerberos keys.
> However, "randomKey" also gets stored as the real LDAP users password. This
> creates accounts with easily guessable DNs like
> uid=krbtgt,ou=people,dc=example,dc=com, which can be used to access the LDAP
> server.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
