Troubles with idp.authn.LDAP.returnAttributes property

Peter Schober peter.schober at
Thu Oct 3 10:43:51 EDT 2019

* Guillaume Rousse <guillaume.rousse at> [2019-10-03 15:39]:
> Our current configuration uses the default file content:
> ## Return attributes during authentication
> idp.authn.LDAP.returnAttributes =

That's not the default, at least not in my conf/ nor
in the shipped distributed copy in dist/conf/ which you
could check yourself:

idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining

> However, all attributes are currently being retrieved. Which is both fragile
> (the authentication issue was caused by an JPEG image stored in an LDAP
> attribute, triggering a 'maximum request size exceded' error) and
> undesirable, as it exposes sensible informations.

While a well-behaved LDAP client only asks for what it needs that does
not replace proper configuration of ACLs/ACIs on the server!
An LDAP DSA should not hand out "everything" to anyone that asks,
*especially* not password hashes. That would be a major security
issue. (Who knows how many of your LDAP services have been recieving
hashed passwords in the past?!)

I seriously doubt the IDP is hashing the password entered by the
subject during authentication (where it would get the cleartext
password verbatim) so a hash in that JSON is likely the result of the
ACS error on the server mentioned above.
(The client doesn't perform any hashing during a simple LDAP bind.)


More information about the users mailing list