Troubles with idp.authn.LDAP.returnAttributes property
Peter Schober
peter.schober at univie.ac.at
Thu Oct 3 10:43:51 EDT 2019
* Guillaume Rousse <guillaume.rousse at renater.fr> [2019-10-03 15:39]:
> Our current configuration uses the default ldap.properties file content:
> ## Return attributes during authentication
> idp.authn.LDAP.returnAttributes =
That's not the default, at least not in my conf/ldap.properties nor
in the shipped distributed copy in dist/conf/ldap.properties which you
could check yourself:
idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining
> However, all attributes are currently being retrieved. Which is both fragile
> (the authentication issue was caused by an JPEG image stored in an LDAP
> attribute, triggering a 'maximum request size exceded' error) and
> undesirable, as it exposes sensible informations.
While a well-behaved LDAP client only asks for what it needs that does
not replace proper configuration of ACLs/ACIs on the server!
An LDAP DSA should not hand out "everything" to anyone that asks,
*especially* not password hashes. That would be a major security
issue. (Who knows how many of your LDAP services have been recieving
hashed passwords in the past?!)
I seriously doubt the IDP is hashing the password entered by the
subject during authentication (where it would get the cleartext
password verbatim) so a hash in that JSON is likely the result of the
ACS error on the server mentioned above.
(The client doesn't perform any hashing during a simple LDAP bind.)
-peter
More information about the users
mailing list