[ https://issues.apache.org/jira/browse/DIRSERVER-997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Karasulu updated DIRSERVER-997: ------------------------------------ Fix Version/s: (was: 1.5.3) 1.5.4 Assignee: Emmanuel Lecharny Looks like you got this on the roadmap. > Block search ability for userPassword attribute > ----------------------------------------------- > > Key: DIRSERVER-997 > URL: https://issues.apache.org/jira/browse/DIRSERVER-997 > Project: Directory ApacheDS > Issue Type: Improvement > Affects Versions: 1.5.2, 1.5.1, 1.5.0, 1.0.2, 1.0.1, 1.0, 1.0-RC4, > 1.0-RC3, 1.0-RC2, 1.0-RC1, pre-1.0 > Environment: All > Reporter: Hans Lohmander > Assignee: Emmanuel Lecharny > Fix For: 1.5.4 > > > I entered this issue on request from the user list where this topic came up. > The userPassword should not be available for search, > else password fishing is possible. > If you are allowed to do a search like > $ ldapsearch -b o=some.root -s sub > 'userPassword="{md5}b4b5835f03bd6748e0cc25790d6f3498"' dn > it would render you all objects with the attribute userPassword equal to > "the secret password", which may not be such a good idea. > iPlanet DS 4.x allowed searches on ueserPassword attribute with > directory manager privs I found out. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.