Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Message-ID: <200518239.1126480956243.JavaMail.jira@ajax.apache.org>
Date: Mon, 12 Sep 2005 01:22:36 +0200 (CEST)
From: "Alex Karasulu (JIRA)" <directory-dev@incubator.apache.org>
To: dev@directory.apache.org
Subject: [jira] Resolved: (DIREVE-239) Anonymous user may gain access as admin
 user
In-Reply-To: <2113537750.1125449104827.JavaMail.jira@ajax.apache.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

     [ http://issues.apache.org/jira/browse/DIREVE-239?page=all ]
     
Alex Karasulu resolved DIREVE-239:
----------------------------------

    Fix Version: 0.9.3
     Resolution: Fixed

Committed in revision 280210 here:

    http://svn.apache.org/viewcvs.cgi?view=rev&rev=280210

> Anonymous user may gain access as admin user
> --------------------------------------------
>
>          Key: DIREVE-239
>          URL: http://issues.apache.org/jira/browse/DIREVE-239
>      Project: Directory Server
>         Type: Bug
>     Versions: 0.9.3
>     Reporter: Endi S. Dewata
>     Assignee: Alex Karasulu
>     Priority: Blocker
>      Fix For: 0.9.3

>
> Anonymous user may gain access as admin user by specifying java.naming.ldap.version=3 in the JNDI client.
> To show the problem, add a print statement in the AuthenticationService.java at line 369:
>                 // perform the authentication
>                 LdapPrincipal authorizationId = authenticator.authenticate( ctx );
>                 System.out.println("Authorization ID: "+authorizationId);
> Start the server, then run the following program:
> import junit.framework.TestCase;
> import javax.naming.Context;
> import javax.naming.NamingEnumeration;
> import javax.naming.directory.*;
> import java.util.Hashtable;
> public class Test extends TestCase {
>     public void testAnonymousBindWithLDAPVersion3() throws Exception {
>         String suffix = "dc=apache,dc=org";
>         Hashtable env = new Hashtable();
>         env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
>         env.put(Context.PROVIDER_URL, "ldap://localhost:10389/");
>         // env.put("java.naming.ldap.version", "3");
>         DirContext ctx = new InitialDirContext(env);
>         SearchControls sc = new SearchControls();
>         sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
>         NamingEnumeration ne = ctx.search(suffix, "(objectClass=*)", sc);
>         System.out.println("Search results:");
>         int counter = 0;
>         while (ne.hasMore()) {
>             SearchResult sr = (SearchResult)ne.next();
>             String rdn = sr.getName();
>             System.out.println(" - "+("".equals(rdn) ? suffix : rdn+","+suffix));
>             counter++;
>         }
>         System.out.println("Found "+counter+" entries.");
>         ctx.close();
>     }
> }
> Without specifying java.naming.ldap.version=3, the user will remain anonymous (empty Authentication ID). However, with java.naming.ldap.version=3, the anonymous user gets authenticated as the admin user without even specifying any password.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira