directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Endi S. Dewata (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DIRSERVER-605) Inconsistent behavior with anonymous access
Date Thu, 30 Mar 2006 17:50:30 GMT
    [ http://issues.apache.org/jira/browse/DIRSERVER-605?page=comments#action_12372481 ] 

Endi S. Dewata commented on DIRSERVER-605:
------------------------------------------

Hi Alex,

The "LDAP Client" tests were performed using Novell's JLDAP library without explicit bind.
This should be possible under LDAP v3. As you can see in the attached program, the test case
goes like this:

    LDAPConnection connection = new LDAPConnection();
    connection.connect("localhost", 10389);

    LDAPSearchResults results = connection.search("", LDAPConnection.SCOPE_BASE,
        "(objectClass=*)", new String[0], false);

Here is the Javadoc of LDAPConnection class:
https://svn.safehaus.org/repos/penrose/trunk/docs/ietf/org/ietf/ldap/LDAPConnection.html

In the "V2 LDAP Client" it calls bind() before calling search():

    connection.bind(2, null, null);   // bind anonymously

The same thing is done in "V3 LDAP Client" tests.

Now the issues are:

1. In the 0.9.3 results (which I incorrectly marked as 1.0-RC1) when allowAnonymousAccess=true
everything passed. However when allowAnonymousAccess=false some test cases passed and some
failed. Granted that 0.9.3 is an old code and not being maintained anymore, this is probably
a bug but ok if not fixed.

2. In the 1.1 results when allowAnonymousAccess=true only V2 test cases failed. While Root
DSE is only defined in LDAPv3, I don't think it limits V2 clients to query Root DSE. Also,
V2 clients were already supported in 0.9.3, why not support it in 1.1?

3. In the 1.1 results when allowAnonymousAccess=false, all V2 clients failed, also "V3 JNDI
Client" and "LDAP Client (no bind)" failed. The allowAnonymousAccess parameter is not defined
in any RFC. To my understanding when it's set to false it could mean:
 - reject anonymous access except to Root DSE, or
 - reject all anonymous acces including Root DSE.
However, none of these definitions can describe the test results. What is the real definition
for allowAnonymousAccess?

Thank you very much!

Endi


> Inconsistent behavior with anonymous access
> -------------------------------------------
>
>          Key: DIRSERVER-605
>          URL: http://issues.apache.org/jira/browse/DIRSERVER-605
>      Project: Directory ApacheDS
>         Type: Bug
>   Components: core
>     Versions: 1.0-RC1, 1.1.0
>     Reporter: Endi S. Dewata
>  Attachments: AnonymousAccessTest.java
>
> Searching the Root DSE as an anonymous user using different clients produces inconsistent
results. 
> The tests were performed using Sun's JNDI client and Novell's Java LDAP client (http://www.openldap.org/jldap).
Please the notes in the attached test case for more details.
> On ApacheDS 1.0-RC1 with allowAnonymousAccess=true the results are:
>  - JNDI Client    : pass
>  - V2 JNDI Client : pass
>  - V3 JNDI Client : pass
>  - LDAP Client    : pass
>  - V2 LDAP Client : pass
>  - V3 LDAP Client : pass
> In this scenario everything passes as expected.
> On ApacheDS 1.0-RC1 with allowAnonymousAccess=false the results are:
>  - JNDI Client    : pass
>  - V2 JNDI Client : pass
>  - V3 JNDI Client : fail
>  - LDAP Client    : fail
>  - V2 LDAP Client : pass
>  - V3 LDAP Client : pass
> In this scenario everything was expected to fail.
> On ApacheDS 1.1 with allowAnonymousAccess=true the results are:
>  - JNDI Client    : pass
>  - V2 JNDI Client : fail
>  - V3 JNDI Client : pass
>  - LDAP Client    : pass
>  - V2 LDAP Client : fail
>  - V3 LDAP Client : pass
> In this scenario everything was expected to pass.
> On ApacheDS 1.1 with allowAnonymousAccess=false the results are:
>  - JNDI Client    : pass
>  - V2 JNDI Client : fail
>  - V3 JNDI Client : fail
>  - LDAP Client    : fail
>  - V2 LDAP Client : fail
>  - V3 LDAP Client : pass
> In this scenario everything was expected to fail.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message