A.4 Preventing User Name Discovery

In some installations, the eDirectory server is protected behind a firewall, but the iManager server is open to the outside world to allow management from home or on the road. Access to iManager is controlled with Username, Password, and Treename fields on the login screen. In such installations, it is often desirable to tighten security to avoid revealing any information about the system.

Standard iManager configurations pass through eDirectory messages related to invalid user names and passwords during iManager authentication. These messages can inadvertently provide too much information to potential crackers. To avoid this, iManager 2.7 includes a configuration option to hide the specific reason for login failure. When enabled, the following error messages are replaced with a generic error message that reads: Login Failure. Invalid Username or Password.

To enable this setting, open the Configure view and select iManager Server > Configure iManager. On the Authentication tab, select Hide specific reason for login failure. This sets Authenticate.Form.HideLoginFailReason=true in iManager’s config.xml file.

Additionally, iManager 2.7 does not support the asterisk (*) character as a wildcard in the Username field. This prevents unauthorized users from discovering valid user names. It also prevents possible denial-of-service attacks that attempt to overload the eDirectory server by continually attempting a login using only the wildcard (*), which forces eDirectory to search for and return all matching user names.