Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 42242 invoked from network); 30 Mar 2006 17:50:55 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 30 Mar 2006 17:50:55 -0000 Received: (qmail 95358 invoked by uid 500); 30 Mar 2006 17:50:53 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 95292 invoked by uid 500); 30 Mar 2006 17:50:52 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 95281 invoked by uid 99); 30 Mar 2006 17:50:52 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Mar 2006 09:50:52 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Mar 2006 09:50:51 -0800 Received: from ajax (localhost.localdomain [127.0.0.1]) by ajax.apache.org (Postfix) with ESMTP id D3A586ACB1 for ; Thu, 30 Mar 2006 18:50:30 +0100 (BST) Message-ID: <1455150577.1143741030854.JavaMail.jira@ajax> Date: Thu, 30 Mar 2006 18:50:30 +0100 (BST) From: "Endi S. Dewata (JIRA)" To: dev@directory.apache.org Subject: [jira] Commented: (DIRSERVER-605) Inconsistent behavior with anonymous access In-Reply-To: <214224027.1143670708335.JavaMail.jira@ajax> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/DIRSERVER-605?page=comments#action_12372481 ] Endi S. Dewata commented on DIRSERVER-605: ------------------------------------------ Hi Alex, The "LDAP Client" tests were performed using Novell's JLDAP library without explicit bind. This should be possible under LDAP v3. As you can see in the attached program, the test case goes like this: LDAPConnection connection = new LDAPConnection(); connection.connect("localhost", 10389); LDAPSearchResults results = connection.search("", LDAPConnection.SCOPE_BASE, "(objectClass=*)", new String[0], false); Here is the Javadoc of LDAPConnection class: https://svn.safehaus.org/repos/penrose/trunk/docs/ietf/org/ietf/ldap/LDAPConnection.html In the "V2 LDAP Client" it calls bind() before calling search(): connection.bind(2, null, null); // bind anonymously The same thing is done in "V3 LDAP Client" tests. Now the issues are: 1. In the 0.9.3 results (which I incorrectly marked as 1.0-RC1) when allowAnonymousAccess=true everything passed. However when allowAnonymousAccess=false some test cases passed and some failed. Granted that 0.9.3 is an old code and not being maintained anymore, this is probably a bug but ok if not fixed. 2. In the 1.1 results when allowAnonymousAccess=true only V2 test cases failed. While Root DSE is only defined in LDAPv3, I don't think it limits V2 clients to query Root DSE. Also, V2 clients were already supported in 0.9.3, why not support it in 1.1? 3. In the 1.1 results when allowAnonymousAccess=false, all V2 clients failed, also "V3 JNDI Client" and "LDAP Client (no bind)" failed. The allowAnonymousAccess parameter is not defined in any RFC. To my understanding when it's set to false it could mean: - reject anonymous access except to Root DSE, or - reject all anonymous acces including Root DSE. However, none of these definitions can describe the test results. What is the real definition for allowAnonymousAccess? Thank you very much! Endi > Inconsistent behavior with anonymous access > ------------------------------------------- > > Key: DIRSERVER-605 > URL: http://issues.apache.org/jira/browse/DIRSERVER-605 > Project: Directory ApacheDS > Type: Bug > Components: core > Versions: 1.0-RC1, 1.1.0 > Reporter: Endi S. Dewata > Attachments: AnonymousAccessTest.java > > Searching the Root DSE as an anonymous user using different clients produces inconsistent results. > The tests were performed using Sun's JNDI client and Novell's Java LDAP client (http://www.openldap.org/jldap). Please the notes in the attached test case for more details. > On ApacheDS 1.0-RC1 with allowAnonymousAccess=true the results are: > - JNDI Client : pass > - V2 JNDI Client : pass > - V3 JNDI Client : pass > - LDAP Client : pass > - V2 LDAP Client : pass > - V3 LDAP Client : pass > In this scenario everything passes as expected. > On ApacheDS 1.0-RC1 with allowAnonymousAccess=false the results are: > - JNDI Client : pass > - V2 JNDI Client : pass > - V3 JNDI Client : fail > - LDAP Client : fail > - V2 LDAP Client : pass > - V3 LDAP Client : pass > In this scenario everything was expected to fail. > On ApacheDS 1.1 with allowAnonymousAccess=true the results are: > - JNDI Client : pass > - V2 JNDI Client : fail > - V3 JNDI Client : pass > - LDAP Client : pass > - V2 LDAP Client : fail > - V3 LDAP Client : pass > In this scenario everything was expected to pass. > On ApacheDS 1.1 with allowAnonymousAccess=false the results are: > - JNDI Client : pass > - V2 JNDI Client : fail > - V3 JNDI Client : fail > - LDAP Client : fail > - V2 LDAP Client : fail > - V3 LDAP Client : pass > In this scenario everything was expected to fail. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira