Details
Description
I entered this issue on request from the user list where this topic came up.
The userPassword should not be available for search,
else password fishing is possible.
If you are allowed to do a search like
$ ldapsearch -b o=some.root -s sub 'userPassword="
b4b5835f03bd6748e0cc25790d6f3498"' dn
it would render you all objects with the attribute userPassword equal to
"the secret password", which may not be such a good idea.
iPlanet DS 4.x allowed searches on ueserPassword attribute with
directory manager privs I found out.
Attachments
Issue Links
- depends upon
-
DIRSERVER-955 FilterMatch permissions are not being handled in Access Control decisions
- Reopened
- is cloned by
-
DIRSERVER-1259 Make the userPassword not searchable from the outside
- Resolved