Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-1443

OpenDJ returns an "invalid credential:expired" when password has expired even if the provided password is wrong

    XMLWordPrintable

    Details

    • Support Ticket IDs:

      Description

      This issue is following this thread: https://lists.forgerock.org/pipermail/opendj/2014-April/003832.html

      When a password is expired a bind return "invalid credential: expired" even if the password is not correct. By consequence I'm not able to define if the authentication request is well-founded or if it is a malicious one. User will always been redirected to the change password page and malicious user will know that this username exist.

      Btw, even if the accound is locked, the password expired or reseted I try to do not disclosed the validity of the username and follow this flow "username/password => auth ok => check account usability".

        Attachments

          Activity

            People

            • Assignee:
              cjr Chris Ridd
              Reporter:
              nithril Nicolas Labrot [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: