Troubles with idp.authn.LDAP.returnAttributes property

Guillaume Rousse guillaume.rousse at
Thu Oct 3 11:53:36 EDT 2019

Le 03/10/2019 à 16:43, Peter Schober a écrit :
> * Guillaume Rousse <guillaume.rousse at> [2019-10-03 15:39]:
>> Our current configuration uses the default file content:
>> ## Return attributes during authentication
>> idp.authn.LDAP.returnAttributes =
> That's not the default, at least not in my conf/ nor
> in the shipped distributed copy in dist/conf/ which you
> could check yourself:
> idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining
>> However, all attributes are currently being retrieved. Which is both fragile
>> (the authentication issue was caused by an JPEG image stored in an LDAP
>> attribute, triggering a 'maximum request size exceded' error) and
>> undesirable, as it exposes sensible informations.
> While a well-behaved LDAP client only asks for what it needs that does
> not replace proper configuration of ACLs/ACIs on the server!
> An LDAP DSA should not hand out "everything" to anyone that asks,
> *especially* not password hashes. That would be a major security
> issue. (Who knows how many of your LDAP services have been recieving
> hashed passwords in the past?!)
I don't think we have an LDAP ACL issue here, as an user is entitled to 
read and write its own password. From what I understood, one of the 
purpose of retrieving attributes during user authentication is precisely 
to retrieve user-only attributes not available during standard attribute 
resolution phase.

Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <>

More information about the users mailing list