directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DIRSERVER-606) ou=users, ou=system - user cannot see their own entry
Date Mon, 24 Apr 2006 11:15:06 GMT
    [ http://issues.apache.org/jira/browse/DIRSERVER-606?page=comments#action_12376008 ] 

Emmanuel Lecharny commented on DIRSERVER-606:
---------------------------------------------

Stefan,

DnParser is internally synchronized, so there is no need to synchronize it outside. DnParser.parse
should be totally stateless, but actually it's not, this is why it has been synchronized.
However, this is not a problem.

What I did may not be enough, as you stated, and your patch is better, but the question is
: do we need to handle this bug? The problem is that if we fix it, user can see it's password,
and super-user can see *all* passwords. Is that an expected feature? I don't think so. Alex
pointed that this is OldAuthz, so it should be replaced by the newer one, with ACIs. I think
that's very valid. Another solution could be to avoid sending userPassword in the response.

For Alex it's like it is legacy interceptor. May be we should suppress it from configuration.


Patching the server is quite easy, we can do it in five minutes, and your patch is ok (regardless
to synchronization). But do we have to do it? That's the main point... 

wdyt ?

btw, we must merge LdapName and LdapDN. We reached the conclusion with Alex that LdapName
must be deleted, to avoid confusion with jdk 1.5 LdapName behavior. As we have another implementation
(LdapDN) which is totally thread safe (without synchronization) and twice faster, this is
the way to go. But it's not an simple patch, because LdapName is used all over the code. We
may have a impact analysis before doing this move. A confluence page has been added for this
task, but it's far from being complete.

> ou=users, ou=system - user cannot see their own entry
> -----------------------------------------------------
>
>          Key: DIRSERVER-606
>          URL: http://issues.apache.org/jira/browse/DIRSERVER-606
>      Project: Directory ApacheDS
>         Type: Bug

>     Versions: 1.0-RC1
>  Environment: JDK 1.4.1
> Tried both JXplorer, and from ACEGI security
>     Reporter: Marc Batchelor
>     Assignee: Stefan Zoerner
>     Priority: Critical
>  Attachments: patch.txt, patch_DIRSERVER-606_2.txt
>
> User binds to ApacheDS as a user under ou=users, ou=system. The user cannot see their
own entry to get their own attributes.
> Documentation states: Users cannot see other user entries under the 'ou=users,ou=system'
entry.
> Agreed and understood. But, the user, after binding with the directory, cannot even find
their own entry to get their own attributes. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message