From dd80dce4110fec321d23d7536dba069d10bd7014 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Mon, 30 Jul 2007 01:05:28 +0000
Subject: [PATCH] Provide a configuration option that makes it possible for the administrator to control whether responses to failed bind operations include an error message that explains the problem. By default, failed bind operations will return a response that indicates the operation failed, but will not include any error message (although it will be written to the access log). However, if the administrator decides that the benefit of providing this information to the client outweighs any potential security risk, then this option may be used to include that message in the response to the client as well as having it written to the access log.
---
opends/resource/schema/02-config.ldif | 7 +
opends/src/server/org/opends/server/core/DirectoryServer.java | 33 +++++++++++
opends/src/server/org/opends/server/core/BindOperationBasis.java | 17 ++++-
opends/tests/unit-tests-testng/src/server/org/opends/server/core/BindOperationTestCase.java | 64 +++++++++++++++++++++
opends/src/server/org/opends/server/core/BindOperationWrapper.java | 9 ++
opends/resource/config/config.ldif | 1
opends/src/admin/defn/org/opends/server/admin/std/GlobalConfiguration.xml | 26 ++++++++
opends/src/server/org/opends/server/core/CoreConfigManager.java | 3 +
8 files changed, 152 insertions(+), 8 deletions(-)
diff --git a/opends/resource/config/config.ldif b/opends/resource/config/config.ldif
index a5caa71..dd087a8 100644
--- a/opends/resource/config/config.ldif
+++ b/opends/resource/config/config.ldif
@@ -46,6 +46,7 @@
ds-cfg-bind-with-dn-requires-password: true
ds-cfg-reject-unauthenticated-requests: false
ds-cfg-default-password-policy: cn=Default Password Policy,cn=Password Policies,cn=config
+ds-cfg-return-bind-error-messages: false
ds-cfg-allowed-task: org.opends.server.tasks.AddSchemaFileTask
ds-cfg-allowed-task: org.opends.server.tasks.BackupTask
ds-cfg-allowed-task: org.opends.server.tasks.DisconnectClientTask
diff --git a/opends/resource/schema/02-config.ldif b/opends/resource/schema/02-config.ldif
index 7e8d6fd..8faf0e4 100644
--- a/opends/resource/schema/02-config.ldif
+++ b/opends/resource/schema/02-config.ldif
@@ -1534,6 +1534,9 @@
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDS Directory Server' )
attributeTypes: ( 1.3.6.1.4.1.26027.1.1.457 NAME 'ds-cfg-disabled-privilege'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDS Directory Server' )
+attributeTypes: ( 1.3.6.1.4.1.26027.1.1.458
+ NAME 'ds-cfg-return-bind-error-messages' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE X-ORIGIN 'OpenDS Directory Server' )
objectClasses: ( 1.3.6.1.4.1.26027.1.2.1
NAME 'ds-cfg-access-control-handler' SUP top STRUCTURAL
MUST ( cn $ ds-cfg-acl-handler-class $ ds-cfg-acl-handler-enabled )
@@ -1748,8 +1751,8 @@
ds-cfg-proxied-authorization-identity-mapper-dn $ ds-cfg-writability-mode $
ds-cfg-reject-unauthenticated-requests $
ds-cfg-bind-with-dn-requires-password $ ds-cfg-lookthrough-limit $
- ds-cfg-smtp-server $ ds-cfg-allowed-task $ ds-cfg-disabled-privilege )
- X-ORIGIN 'OpenDS Directory Server' )
+ ds-cfg-smtp-server $ ds-cfg-allowed-task $ ds-cfg-disabled-privilege $
+ ds-cfg-return-bind-error-messages ) X-ORIGIN 'OpenDS Directory Server' )
objectClasses: ( 1.3.6.1.4.1.26027.1.2.41 NAME 'ds-cfg-root-dn' SUP top
AUXILIARY MAY ds-cfg-alternate-bind-dn X-ORIGIN 'OpenDS Directory Server' )
objectClasses: ( 1.3.6.1.4.1.26027.1.2.42 NAME 'ds-cfg-root-dse'
diff --git a/opends/src/admin/defn/org/opends/server/admin/std/GlobalConfiguration.xml b/opends/src/admin/defn/org/opends/server/admin/std/GlobalConfiguration.xml
index 8682e77..ae2620b 100644
--- a/opends/src/admin/defn/org/opends/server/admin/std/GlobalConfiguration.xml
+++ b/opends/src/admin/defn/org/opends/server/admin/std/GlobalConfiguration.xml
@@ -667,5 +667,31 @@
</adm:profile>
</adm:property>
+ <adm:property name="return-bind-error-messages" mandatory="false">
+ <adm:synopsis>
+ Indicates whether responses for failed bind operations should include a
+ message string providing the reason for the authentication failure. Note
+ that these messages may include information that could potentially be used
+ by an attacker. If this option is disabled, then these messages will
+ appear only in the server's access log.
+ </adm:synopsis>
+ <adm:default-behavior>
+ <adm:defined>
+ <adm:value>
+ false
+ </adm:value>
+ </adm:defined>
+ </adm:default-behavior>
+ <adm:syntax>
+ <adm:boolean />
+ </adm:syntax>
+ <adm:profile name="ldap">
+ <ldap:attribute>
+ <ldap:oid>1.3.6.1.4.1.26027.1.1.456</ldap:oid>
+ <ldap:name>ds-cfg-return-bind-error-messages</ldap:name>
+ </ldap:attribute>
+ </adm:profile>
+ </adm:property>
+
</adm:managed-object>
diff --git a/opends/src/server/org/opends/server/core/BindOperationBasis.java b/opends/src/server/org/opends/server/core/BindOperationBasis.java
index 94dba4d..58e39e5 100644
--- a/opends/src/server/org/opends/server/core/BindOperationBasis.java
+++ b/opends/src/server/org/opends/server/core/BindOperationBasis.java
@@ -516,16 +516,23 @@
*/
public final void setAuthFailureReason(int id, String reason)
{
- if (id < 0)
+ if (DirectoryServer.returnBindErrorMessages())
{
- authFailureID = 0;
+ appendErrorMessage(reason);
}
else
{
- authFailureID = id;
- }
+ if (id < 0)
+ {
+ authFailureID = 0;
+ }
+ else
+ {
+ authFailureID = id;
+ }
- authFailureReason = reason;
+ authFailureReason = reason;
+ }
}
/**
diff --git a/opends/src/server/org/opends/server/core/BindOperationWrapper.java b/opends/src/server/org/opends/server/core/BindOperationWrapper.java
index 8de5716..970105b 100644
--- a/opends/src/server/org/opends/server/core/BindOperationWrapper.java
+++ b/opends/src/server/org/opends/server/core/BindOperationWrapper.java
@@ -166,7 +166,14 @@
*/
public void setAuthFailureReason(int id, String reason)
{
- bind.setAuthFailureReason(id, reason);
+ if (DirectoryServer.returnBindErrorMessages())
+ {
+ bind.appendErrorMessage(reason);
+ }
+ else
+ {
+ bind.setAuthFailureReason(id, reason);
+ }
}
/**
diff --git a/opends/src/server/org/opends/server/core/CoreConfigManager.java b/opends/src/server/org/opends/server/core/CoreConfigManager.java
index ce9865c..5d3ef6d 100644
--- a/opends/src/server/org/opends/server/core/CoreConfigManager.java
+++ b/opends/src/server/org/opends/server/core/CoreConfigManager.java
@@ -334,6 +334,9 @@
}
}
DirectoryServer.setDisabledPrivileges(disabledPrivileges);
+
+ DirectoryServer.setReturnBindErrorMessages(
+ globalConfig.isReturnBindErrorMessages());
}
diff --git a/opends/src/server/org/opends/server/core/DirectoryServer.java b/opends/src/server/org/opends/server/core/DirectoryServer.java
index 3388200..de50e2b 100644
--- a/opends/src/server/org/opends/server/core/DirectoryServer.java
+++ b/opends/src/server/org/opends/server/core/DirectoryServer.java
@@ -255,6 +255,9 @@
// Indicates whether the server should reject unauthenticated requests.
private boolean rejectUnauthenticatedRequests;
+ // Indicates whether bind responses should include failure reason messages.
+ private boolean returnBindErrorMessages;
+
// The configuration manager that will handle the certificate mapper.
private CertificateMapperConfigManager certificateMapperConfigManager;
@@ -726,6 +729,7 @@
new CopyOnWriteArrayList<ImportTaskListener>();
directoryServer.allowedTasks = new LinkedHashSet<String>(0);
directoryServer.disabledPrivileges = new LinkedHashSet<Privilege>(0);
+ directoryServer.returnBindErrorMessages = false;
}
@@ -7467,6 +7471,35 @@
/**
+ * Indicates whether responses to failed bind operations should include a
+ * message explaining the reason for the failure.
+ *
+ * @return {@code true} if bind responses should include error messages, or
+ * {@code false} if not.
+ */
+ public static boolean returnBindErrorMessages()
+ {
+ return directoryServer.returnBindErrorMessages;
+ }
+
+
+
+ /**
+ * Specifies whether responses to failed bind operations should include a
+ * message explaining the reason for the failure.
+ *
+ * @param returnBindErrorMessages Specifies whether responses to failed bind
+ * operations should include a message
+ * explaining the reason for the failure.
+ */
+ public static void setReturnBindErrorMessages(boolean returnBindErrorMessages)
+ {
+ directoryServer.returnBindErrorMessages = returnBindErrorMessages;
+ }
+
+
+
+ /**
* Registers the provided backup task listener with the Directory Server.
*
* @param listener The backup task listener to register with the Directory
diff --git a/opends/tests/unit-tests-testng/src/server/org/opends/server/core/BindOperationTestCase.java b/opends/tests/unit-tests-testng/src/server/org/opends/server/core/BindOperationTestCase.java
index 39ac48e..40fe4ae 100644
--- a/opends/tests/unit-tests-testng/src/server/org/opends/server/core/BindOperationTestCase.java
+++ b/opends/tests/unit-tests-testng/src/server/org/opends/server/core/BindOperationTestCase.java
@@ -52,6 +52,7 @@
import org.opends.server.protocols.ldap.LDAPMessage;
import org.opends.server.protocols.ldap.LDAPResultCode;
import org.opends.server.tools.LDAPSearch;
+import org.opends.server.tools.dsconfig.DSConfig;
import org.opends.server.types.Attribute;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.AuthenticationType;
@@ -1901,6 +1902,69 @@
/**
+ * Tests the behavior of the returnBindErrorMessage configuration option.
+ */
+ @Test()
+ public void testReturnBindErrorMessage()
+ {
+ // Make sure that the default behavior is to not include the error message.
+ InternalClientConnection conn =
+ new InternalClientConnection(new AuthenticationInfo());
+
+ BindOperation bindOperation =
+ conn.processSimpleBind(new ASN1OctetString("cn=Directory Manager"),
+ new ASN1OctetString("wrongpassword"));
+ assertEquals(bindOperation.getResultCode(), ResultCode.INVALID_CREDENTIALS);
+ assertTrue(((bindOperation.getErrorMessage() == null) ||
+ (bindOperation.getErrorMessage().length() == 0)),
+ bindOperation.getErrorMessage().toString());
+
+
+ // Change the server configuration so that error messages should be
+ // returned.
+ String[] args =
+ {
+ "-h", "127.0.0.1",
+ "-p", String.valueOf(TestCaseUtils.getServerLdapPort()),
+ "-D", "cn=Directory Manager",
+ "-w", "password",
+ "set-global-configuration-prop",
+ "--set", "return-bind-error-messages:true"
+ };
+ assertEquals(DSConfig.main(args, false, System.out, System.err), 0);
+
+ bindOperation =
+ conn.processSimpleBind(new ASN1OctetString("cn=Directory Manager"),
+ new ASN1OctetString("wrongpassword"));
+ assertEquals(bindOperation.getResultCode(), ResultCode.INVALID_CREDENTIALS);
+ assertTrue(bindOperation.getErrorMessage().length() > 0);
+
+
+ // Change the configuration back and make sure that the error message goes
+ // away.
+ args = new String[]
+ {
+ "-h", "127.0.0.1",
+ "-p", String.valueOf(TestCaseUtils.getServerLdapPort()),
+ "-D", "cn=Directory Manager",
+ "-w", "password",
+ "set-global-configuration-prop",
+ "--set", "return-bind-error-messages:false"
+ };
+ assertEquals(DSConfig.main(args, false, System.out, System.err), 0);
+
+ bindOperation =
+ conn.processSimpleBind(new ASN1OctetString("cn=Directory Manager"),
+ new ASN1OctetString("wrongpassword"));
+ assertEquals(bindOperation.getResultCode(), ResultCode.INVALID_CREDENTIALS);
+ assertTrue(((bindOperation.getErrorMessage() == null) ||
+ (bindOperation.getErrorMessage().length() == 0)),
+ bindOperation.getErrorMessage().toString());
+ }
+
+
+
+ /**
* Tests to ensure that performing multiple binds on a client connection will
* cause the connection to no longer be associated with the previous identity.
* This helps provide coverage for issue #1392.
--
Gitblit v1.10.0