Return-Path: 
 <dev-return-8730-apmail-directory-dev-archive=directory.apache.org@directory.apache.org>
Delivered-To: apmail-directory-dev-archive@www.apache.org
Received: (qmail 84462 invoked from network); 25 Oct 2005 21:57:25 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 25 Oct 2005 21:57:25 -0000
Received: (qmail 52421 invoked by uid 500); 25 Oct 2005 21:57:23 -0000
Delivered-To: apmail-directory-dev-archive@directory.apache.org
Received: (qmail 52204 invoked by uid 500); 25 Oct 2005 21:57:22 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 52183 invoked by uid 99); 25 Oct 2005 21:57:21 -0000
X-ASF-Spam-Status: No, hits=1.3 required=10.0
	tests=SPF_FAIL
X-Spam-Check-By: apache.org
Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Oct 2005 14:57:17 -0700
Received: from ajax.apache.org (ajax.apache.org [127.0.0.1])
	by ajax.apache.org (Postfix) with ESMTP id 6A361222
	for <dev@directory.apache.org>; Tue, 25 Oct 2005 23:56:56 +0200 (CEST)
Message-ID: <1919262914.1130277416432.JavaMail.jira@ajax.apache.org>
Date: Tue, 25 Oct 2005 23:56:56 +0200 (CEST)
From: "Stefan Zoerner (JIRA)" <directory-dev@incubator.apache.org>
To: dev@directory.apache.org
Subject: [jira] Commented: (DIREVE-283) If anonymous access is disabled,
 reading the Root DSE is forbidden by the server
In-Reply-To: <740246398.1130093463806.JavaMail.jira@ajax.apache.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

    [ http://issues.apache.org/jira/browse/DIREVE-283?page=comments#action_12355898 ] 

Stefan Zoerner commented on DIREVE-283:
---------------------------------------

I was wrong. The other problem mentioned above has nothing to do with this issue here. It is related to resolving DIREVE-274. I have filed it in new DIREVE-294 ("Search filters with wrong case in attribute names lead to wrong result"). 

> If anonymous access is disabled, reading the Root DSE is forbidden by the server
> --------------------------------------------------------------------------------
>
>          Key: DIREVE-283
>          URL: http://issues.apache.org/jira/browse/DIREVE-283
>      Project: Directory Server
>         Type: Bug
>     Reporter: Stefan Zoerner
>     Assignee: Alex Karasulu
>      Fix For: 0.9.3

>
> If anonymous access is disabled, i.e. configuration is 
>  <property name="allowAnonymousAccess"><value>false</value></property>
> a client which binds anonymously is not allowed to fetch any Root DSE data. 
> $ ldapsearch -b "" -s base -p 10389 "(objectclass=*)"
> ldap_simple_bind: Insufficient access
> It is expected that a client is at least able to read the attribute supportedSASLMechanisms if connected anonymously. This is because s/he can then decide which mechanism fits his/her needs best, before authentication. Here is what RFC 2829 says:
> 5. Anonymous authentication
>    ...
>    LDAP implementations MUST support anonymous authentication, as
>    defined in section 5.1.
>    ...
>    While there MAY be access control restrictions to prevent access to
>    directory entries, an LDAP server SHOULD allow an anonymously-bound
>    client to retrieve the supportedSASLMechanisms attribute of the root
>    DSE.
>    ...
> It is quite normal, that LDAP servers present the other information advertised in the Root DSE to anonymously connected clients as well (e.g. supportedLDAPVersion, namingContexts), even if anonymous binds are not allowed (e.g. default configuration of Active Directory).
> But it seems to be up to us, which information we give anonymously bind users (except supportedSASLMechanisms), this is what RFC 2251 says:
> 3.4. Server-specific Data Requirements
>    An LDAP server MUST provide information about itself and other
>    information that is specific to each server.  This is represented as
>    a group of attributes located in the root DSE (DSA-Specific Entry),
>    which is named with the zero-length LDAPDN.  These attributes are
>    retrievable if a client performs a base object search of the root
>    with filter "(objectClass=*)", however they are subject to access
>    control restrictions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira