Uploaded image for project: 'Directory ApacheDS'
  1. Directory ApacheDS
  2. DIRSERVER-997

Block search ability for userPassword attribute

    Details

    • Type: Improvement
    • Status: Reopened
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: pre-1.0, 1.0-RC1, 1.0-RC2, 1.0-RC3, 1.0-RC4, 1.0, 1.0.1, 1.0.2, 1.5.0, 1.5.1, 1.5.2
    • Fix Version/s: 2.0.0-M8, 2.0.0-RC1
    • Component/s: None
    • Labels:
      None
    • Environment:
      All

      Description

      I entered this issue on request from the user list where this topic came up.

      The userPassword should not be available for search,
      else password fishing is possible.

      If you are allowed to do a search like
      $ ldapsearch -b o=some.root -s sub 'userPassword="

      {md5}

      b4b5835f03bd6748e0cc25790d6f3498"' dn
      it would render you all objects with the attribute userPassword equal to
      "the secret password", which may not be such a good idea.

      iPlanet DS 4.x allowed searches on ueserPassword attribute with
      directory manager privs I found out.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                elecharny Emmanuel Lecharny
                Reporter:
                hmlhdr Hans Lohmander
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: