[
https://issues.apache.org/jira/browse/DIRKRB-29?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13131030#comment-13131030
]
Emmanuel Lecharny commented on DIRKRB-29:
-----------------------------------------
I would usually tell people saying that to get lost, but sadly, you are bloody
right.
We had no time to focus on Kerberos, except last year when we spent almost
three months fixing the encoder/decoder, because they were just plan wrong.
Since then we are full tme on the server, and it's just killing us.
The class that handles this randomKey is the KeyDerivationInterceptor
(http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptor-kerberos/src/main/java/org/apache/directory/server/core/kerberos/KeyDerivationInterceptor.java?view=markup).
I don't know what it does, but I can find some time to get it fixed, if
someone with a deeper knowledge about Kerberos drives me.
Feel free to ping me, I have a lot on my plate but can easily divert some time.
Thanks !
> Using randomKey creates a valid LDAP login
> ------------------------------------------
>
> Key: DIRKRB-29
> URL: https://issues.apache.org/jira/browse/DIRKRB-29
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 2.0.0
> Reporter: Andreas Oberritter
> Assignee: Emmanuel Lecharny
> Fix For: 2.0.0
>
>
> Setting userPassword to "randomKey" triggers the generation of Kerberos keys.
> However, "randomKey" also gets stored as the real LDAP users password. This
> creates accounts with easily guessable DNs like
> uid=krbtgt,ou=people,dc=example,dc=com, which can be used to access the LDAP
> server.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
