Le 23/07/2014 18:00, Maxim Solodovnik a écrit :
> MessageType : BIND_REQUEST
> Message ID : 1
> BindRequest
> Version : '3'
> Name : 'CN=binduser,OU=YXZ,OU=Users,DC=company,DC=com'
> Simple authentication : '*password*/hash value'
>
> "*password*" is actually plain text password
Ahhh, crap !!!
In the BindRequestImpl class we do :
if ( isSimple )
{
sb.append( " Simple authentication : '" ).append(
Strings.utf8ToString( credentials ) )
.append( '/' ).append( Strings.dumpBytes(
credentials ) ).append( "'\n" );
}
else
{
sb.append( " Sasl credentials\n" );
sb.append( " Mechanism :'" ).append(
mechanism ).append( "'\n" );
if ( credentials == null )
{
sb.append( " Credentials : null" );
}
else
{
sb.append( " Credentials :
(omitted-for-safety)" );
}
As you can see, when using SASL bind, we don't expose the password,
while we do in PLAIN text...
I'm going to fix that immediately
(https://issues.apache.org/jira/browse/DIRAPI-197).
Many thanks !
