[
https://issues.apache.org/jira/browse/DIRSERVER-2051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14485444#comment-14485444
]
Emmanuel Lecharny commented on DIRSERVER-2051:
----------------------------------------------
>From the security POV, this is not a clear cut. Specifically, case #2 seems
>risky : you just give the information to someone that somehow, the password
>was correct.
What about providing a unique message : "incorrect or expired password" in all
three cases ?
> Getting Password Expired Instead of Invalid Credentials
> -------------------------------------------------------
>
> Key: DIRSERVER-2051
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2051
> Project: Directory ApacheDS
> Issue Type: Bug
> Reporter: David Paulsen
>
> When I log in with invalid credentials AND the password is expired, I
> would expect to get the invalid credentials error:
> LDAPException: Invalid Credentials (49) Invalid Credentials
> LDAPException: Server Message: INVALID_CREDENTIALS: Bind failed: ERR_229
> Cannot authenticate user
> uid=admin,ou=DJPS1,ou=DVHead,dc=kewilltransport,dc=com
> Instead I get the password expired error:
> LDAPException: Invalid Credentials (49) Invalid Credentials
> LDAPException: Server Message: INVALID_CREDENTIALS: Bind failed: paasword
> expired
> I would think we should get the invalid credentials error in that case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
