From 563ec02f82746d87c5ce638e9e7e1bfcec2ba473 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Mon, 30 Jul 2007 01:05:28 +0000
Subject: [PATCH] Provide a configuration option that makes it possible for the administrator to control whether responses to failed bind operations include an error message that explains the problem.  By default, failed bind operations will return a response that indicates the operation failed, but will not include any error message (although it will be written to the access log).  However, if the administrator decides that the benefit of providing this information to the client outweighs any potential security risk, then this option may be used to include that message in the response to the client as well as having it written to the access log.

---
 opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/GlobalConfiguration.xml |   26 ++++++++++++++++++++++++++
 1 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/GlobalConfiguration.xml b/opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/GlobalConfiguration.xml
index 8682e77..ae2620b 100644
--- a/opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/GlobalConfiguration.xml
+++ b/opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/GlobalConfiguration.xml
@@ -667,5 +667,31 @@
     </adm:profile>
   </adm:property>
 
+  <adm:property name="return-bind-error-messages" mandatory="false">
+    <adm:synopsis>
+      Indicates whether responses for failed bind operations should include a
+      message string providing the reason for the authentication failure.  Note
+      that these messages may include information that could potentially be used
+      by an attacker.  If this option is disabled, then these messages will
+      appear only in the server's access log.
+    </adm:synopsis>
+    <adm:default-behavior>
+      <adm:defined>
+        <adm:value>
+          false
+        </adm:value>
+      </adm:defined>
+    </adm:default-behavior>
+    <adm:syntax>
+      <adm:boolean />
+    </adm:syntax>
+    <adm:profile name="ldap">
+      <ldap:attribute>
+        <ldap:oid>1.3.6.1.4.1.26027.1.1.456</ldap:oid>
+        <ldap:name>ds-cfg-return-bind-error-messages</ldap:name>
+      </ldap:attribute>
+    </adm:profile>
+  </adm:property>
+
 </adm:managed-object>
 

--
Gitblit v1.10.0