mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
opends/resource/config/config.ldif
@@ -46,6 +46,7 @@ ds-cfg-bind-with-dn-requires-password: true ds-cfg-reject-unauthenticated-requests: false ds-cfg-default-password-policy: cn=Default Password Policy,cn=Password Policies,cn=config ds-cfg-return-bind-error-messages: false ds-cfg-allowed-task: org.opends.server.tasks.AddSchemaFileTask ds-cfg-allowed-task: org.opends.server.tasks.BackupTask ds-cfg-allowed-task: org.opends.server.tasks.DisconnectClientTask opends/resource/schema/02-config.ldif
@@ -1534,6 +1534,9 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDS Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.26027.1.1.457 NAME 'ds-cfg-disabled-privilege' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDS Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.26027.1.1.458 NAME 'ds-cfg-return-bind-error-messages' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'OpenDS Directory Server' ) objectClasses: ( 1.3.6.1.4.1.26027.1.2.1 NAME 'ds-cfg-access-control-handler' SUP top STRUCTURAL MUST ( cn $ ds-cfg-acl-handler-class $ ds-cfg-acl-handler-enabled ) @@ -1748,8 +1751,8 @@ ds-cfg-proxied-authorization-identity-mapper-dn $ ds-cfg-writability-mode $ ds-cfg-reject-unauthenticated-requests $ ds-cfg-bind-with-dn-requires-password $ ds-cfg-lookthrough-limit $ ds-cfg-smtp-server $ ds-cfg-allowed-task $ ds-cfg-disabled-privilege ) X-ORIGIN 'OpenDS Directory Server' ) ds-cfg-smtp-server $ ds-cfg-allowed-task $ ds-cfg-disabled-privilege $ ds-cfg-return-bind-error-messages ) X-ORIGIN 'OpenDS Directory Server' ) objectClasses: ( 1.3.6.1.4.1.26027.1.2.41 NAME 'ds-cfg-root-dn' SUP top AUXILIARY MAY ds-cfg-alternate-bind-dn X-ORIGIN 'OpenDS Directory Server' ) objectClasses: ( 1.3.6.1.4.1.26027.1.2.42 NAME 'ds-cfg-root-dse' opends/src/admin/defn/org/opends/server/admin/std/GlobalConfiguration.xml
@@ -667,5 +667,31 @@ </adm:profile> </adm:property> <adm:property name="return-bind-error-messages" mandatory="false"> <adm:synopsis> Indicates whether responses for failed bind operations should include a message string providing the reason for the authentication failure. Note that these messages may include information that could potentially be used by an attacker. If this option is disabled, then these messages will appear only in the server's access log. </adm:synopsis> <adm:default-behavior> <adm:defined> <adm:value> false </adm:value> </adm:defined> </adm:default-behavior> <adm:syntax> <adm:boolean /> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:oid>1.3.6.1.4.1.26027.1.1.456</ldap:oid> <ldap:name>ds-cfg-return-bind-error-messages</ldap:name> </ldap:attribute> </adm:profile> </adm:property> </adm:managed-object>
@@ -516,6 +516,12 @@ */ public final void setAuthFailureReason(int id, String reason) { if (DirectoryServer.returnBindErrorMessages()) { appendErrorMessage(reason); } else { if (id < 0) { authFailureID = 0; @@ -527,6 +533,7 @@ authFailureReason = reason; } } /** * {@inheritDoc} opends/src/server/org/opends/server/core/BindOperationWrapper.java
@@ -166,8 +166,15 @@ */ public void setAuthFailureReason(int id, String reason) { if (DirectoryServer.returnBindErrorMessages()) { bind.appendErrorMessage(reason); } else { bind.setAuthFailureReason(id, reason); } } /** * {@inheritDoc} opends/src/server/org/opends/server/core/CoreConfigManager.java
@@ -334,6 +334,9 @@ } } DirectoryServer.setDisabledPrivileges(disabledPrivileges); DirectoryServer.setReturnBindErrorMessages( globalConfig.isReturnBindErrorMessages()); }
@@ -255,6 +255,9 @@ // Indicates whether the server should reject unauthenticated requests. private boolean rejectUnauthenticatedRequests; // Indicates whether bind responses should include failure reason messages. private boolean returnBindErrorMessages; // The configuration manager that will handle the certificate mapper. private CertificateMapperConfigManager certificateMapperConfigManager; @@ -726,6 +729,7 @@ new CopyOnWriteArrayList<ImportTaskListener>(); directoryServer.allowedTasks = new LinkedHashSet<String>(0); directoryServer.disabledPrivileges = new LinkedHashSet<Privilege>(0); directoryServer.returnBindErrorMessages = false; } @@ -7467,6 +7471,35 @@ /** * Indicates whether responses to failed bind operations should include a * message explaining the reason for the failure. * * @return {@code true} if bind responses should include error messages, or * {@code false} if not. */ public static boolean returnBindErrorMessages() { return directoryServer.returnBindErrorMessages; } /** * Specifies whether responses to failed bind operations should include a * message explaining the reason for the failure. * * @param returnBindErrorMessages Specifies whether responses to failed bind * operations should include a message * explaining the reason for the failure. */ public static void setReturnBindErrorMessages(boolean returnBindErrorMessages) { directoryServer.returnBindErrorMessages = returnBindErrorMessages; } /** * Registers the provided backup task listener with the Directory Server. * * @param listener The backup task listener to register with the Directory opends/tests/unit-tests-testng/src/server/org/opends/server/core/BindOperationTestCase.java
@@ -52,6 +52,7 @@ import org.opends.server.protocols.ldap.LDAPMessage; import org.opends.server.protocols.ldap.LDAPResultCode; import org.opends.server.tools.LDAPSearch; import org.opends.server.tools.dsconfig.DSConfig; import org.opends.server.types.Attribute; import org.opends.server.types.AuthenticationInfo; import org.opends.server.types.AuthenticationType; @@ -1901,6 +1902,69 @@ /** * Tests the behavior of the returnBindErrorMessage configuration option. */ @Test() public void testReturnBindErrorMessage() { // Make sure that the default behavior is to not include the error message. InternalClientConnection conn = new InternalClientConnection(new AuthenticationInfo()); BindOperation bindOperation = conn.processSimpleBind(new ASN1OctetString("cn=Directory Manager"), new ASN1OctetString("wrongpassword")); assertEquals(bindOperation.getResultCode(), ResultCode.INVALID_CREDENTIALS); assertTrue(((bindOperation.getErrorMessage() == null) || (bindOperation.getErrorMessage().length() == 0)), bindOperation.getErrorMessage().toString()); // Change the server configuration so that error messages should be // returned. String[] args = { "-h", "127.0.0.1", "-p", String.valueOf(TestCaseUtils.getServerLdapPort()), "-D", "cn=Directory Manager", "-w", "password", "set-global-configuration-prop", "--set", "return-bind-error-messages:true" }; assertEquals(DSConfig.main(args, false, System.out, System.err), 0); bindOperation = conn.processSimpleBind(new ASN1OctetString("cn=Directory Manager"), new ASN1OctetString("wrongpassword")); assertEquals(bindOperation.getResultCode(), ResultCode.INVALID_CREDENTIALS); assertTrue(bindOperation.getErrorMessage().length() > 0); // Change the configuration back and make sure that the error message goes // away. args = new String[] { "-h", "127.0.0.1", "-p", String.valueOf(TestCaseUtils.getServerLdapPort()), "-D", "cn=Directory Manager", "-w", "password", "set-global-configuration-prop", "--set", "return-bind-error-messages:false" }; assertEquals(DSConfig.main(args, false, System.out, System.err), 0); bindOperation = conn.processSimpleBind(new ASN1OctetString("cn=Directory Manager"), new ASN1OctetString("wrongpassword")); assertEquals(bindOperation.getResultCode(), ResultCode.INVALID_CREDENTIALS); assertTrue(((bindOperation.getErrorMessage() == null) || (bindOperation.getErrorMessage().length() == 0)), bindOperation.getErrorMessage().toString()); } /** * Tests to ensure that performing multiple binds on a client connection will * cause the connection to no longer be associated with the previous identity. * This helps provide coverage for issue #1392.
