Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 21025 invoked from network); 31 Aug 2005 00:45:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 31 Aug 2005 00:45:08 -0000 Received: (qmail 11247 invoked by uid 500); 31 Aug 2005 00:45:07 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 11197 invoked by uid 500); 31 Aug 2005 00:45:07 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 11182 invoked by uid 99); 31 Aug 2005 00:45:06 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=SPF_FAIL X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Aug 2005 17:45:05 -0700 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (Postfix) with ESMTP id CA75B128 for ; Wed, 31 Aug 2005 02:45:04 +0200 (CEST) Message-ID: <2113537750.1125449104827.JavaMail.jira@ajax.apache.org> Date: Wed, 31 Aug 2005 02:45:04 +0200 (CEST) From: "Endi S. Dewata (JIRA)" To: dev@directory.apache.org Subject: [jira] Created: (DIREVE-239) Anonymous user may gain access as admin user Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Anonymous user may gain access as admin user -------------------------------------------- Key: DIREVE-239 URL: http://issues.apache.org/jira/browse/DIREVE-239 Project: Directory Server Type: Bug Versions: 0.9.3 Reporter: Endi S. Dewata Assigned to: Alex Karasulu Anonymous user may gain access as admin user by specifying java.naming.ldap.version=3 in the JNDI client. To show the problem, add a print statement in the AuthenticationService.java at line 369: // perform the authentication LdapPrincipal authorizationId = authenticator.authenticate( ctx ); System.out.println("Authorization ID: "+authorizationId); Start the server, then run the following program: import junit.framework.TestCase; import javax.naming.Context; import javax.naming.NamingEnumeration; import javax.naming.directory.*; import java.util.Hashtable; public class Test extends TestCase { public void testAnonymousBindWithLDAPVersion3() throws Exception { String suffix = "dc=apache,dc=org"; Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://localhost:10389/"); // env.put("java.naming.ldap.version", "3"); DirContext ctx = new InitialDirContext(env); SearchControls sc = new SearchControls(); sc.setSearchScope(SearchControls.SUBTREE_SCOPE); NamingEnumeration ne = ctx.search(suffix, "(objectClass=*)", sc); System.out.println("Search results:"); int counter = 0; while (ne.hasMore()) { SearchResult sr = (SearchResult)ne.next(); String rdn = sr.getName(); System.out.println(" - "+("".equals(rdn) ? suffix : rdn+","+suffix)); counter++; } System.out.println("Found "+counter+" entries."); ctx.close(); } } Without specifying java.naming.ldap.version=3, the user will remain anonymous (empty Authentication ID). However, with java.naming.ldap.version=3, the anonymous user gets authenticated as the admin user without even specifying any password. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira