Thanks :)
On 23 July 2014 23:11, Emmanuel Lécharny <[email protected]> wrote: > Le 23/07/2014 18:00, Maxim Solodovnik a écrit : > > MessageType : BIND_REQUEST > > Message ID : 1 > > BindRequest > > Version : '3' > > Name : 'CN=binduser,OU=YXZ,OU=Users,DC=company,DC=com' > > Simple authentication : '*password*/hash value' > > > > "*password*" is actually plain text password > > > Ahhh, crap !!! > > In the BindRequestImpl class we do : > > if ( isSimple ) > { > sb.append( " Simple authentication : '" ).append( > Strings.utf8ToString( credentials ) ) > .append( '/' ).append( Strings.dumpBytes( > credentials ) ).append( "'\n" ); > } > else > { > sb.append( " Sasl credentials\n" ); > sb.append( " Mechanism :'" ).append( > mechanism ).append( "'\n" ); > > if ( credentials == null ) > { > sb.append( " Credentials : null" ); > } > else > { > sb.append( " Credentials : > (omitted-for-safety)" ); > } > > As you can see, when using SASL bind, we don't expose the password, > while we do in PLAIN text... > > I'm going to fix that immediately > (https://issues.apache.org/jira/browse/DIRAPI-197). > > Many thanks ! > > -- WBR Maxim aka solomax
