On 6/27/19 6:23 PM, Michael Ströder wrote: > On 6/27/19 6:18 PM, Howard Chu wrote: >> Michael Ströder wrote: >>> On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote: >>>> Thanks to Ondrej, this list is a bit shorter now. :) >>> >>> But one more I'd love to see in 2.4.48: >>> >>> ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message >>> >>> https://www.openldap.org/its/index.cgi?findid=8866 >> >> I don't believe the information disclosure issues have been >> sufficiently answered there. Overall it's a bad idea and goes against >> our standing policy of minimal disclosure. > Sorry, you already have the disclosure. > > Citing from my old e-mail found here: > https://www.openldap.org/lists/openldap-devel/201711/msg00003.html > >> But this problem exists anyway because an attacker can probe >> values by adding entries with non-unique attributes and determine >> whether an attribute value exists or not by distinguishing the result >> code constraintViolation(19) vs. insufficientAccessRights(50). >> Even worse this even works in case the attacker does not have read >> access anywhere!
Furthermore the security of a system should not rely on confidentiality of the configuration. E.g. with Æ-DIR the config is publicly known. Also note I'm usually blamed for making directory contents too confidential. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature