directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <>
Subject Re: ApacheDS bigbang configuration: allowAnonymousAccess Question
Date Sun, 30 Dec 2007 17:50:18 GMT

There are different levels at which anonymous access is controlled depending
on how an anonymous user comes into the system.  At a bare minimum in
embedded mode the authentication interceptor needs some configuration on how
to handle users that are anonymous.  Then if LDAP access is enabled over the
wire then this configuration information is needed by the protocol services
as well.  I guess this can be extracted from the directory service but some
times there may need to be some override - don't remember exactly.

What I want to do is finish up a few things in this second phase that
effects how authentication may be done and review the authentication
interceptor and this configuration stuff.  Something here is not right and I
have not had the time to really sit down and figure it all out.

Perhaps we should just suspend this one parameter's documentation until
these issues are clearly resolved or understood?


On Dec 30, 2007 9:13 AM, Stefan Zoerner <> wrote:

> Hi all,
> currently I rework the Basic User's Guide in cwiki for the upcoming 2.0
>  version of ApacheDS.
> Let me first say that the new configuration file server.xml with the
> xbean stuff is much clearer and therefore also easier to document against.
> During configuration of authentication option for chapter 3.1 ("Basic
> Security -- Authentication options") I faced a problem with the
> attribute allowAnonymousAccess.
> It is allowed in three elements in server.xml (and used in all of them
> in the default file which comes with the installer as well):
> (1) apacheDS
>   <apacheDS id="apacheDS"
>             synchPeriodMillis="15000"
>             allowAnonymousAccess="false">
>    ...
> (2) defaultDirectoryService
>   <defaultDirectoryService id="directoryService" instanceId="default"
>                            workingDirectory=""
>                            allowAnonymousAccess="false"
>    ...
> (3) <ldapServer id="ldapServer"
>               ipPort="10389"
>               allowAnonymousAccess="false"
>    ...
> I am not really sure, which combinations of true and false values in
> these areas are valid, and which behavior they should show.
> For instance it is sufficient to enable anonymous access on the apacheDS
> level (allowAnonymousAccess="true"), all other elements can still remain
> false, but anonymous binds work.
> Does a configuration on a higher level (apacheDS) overwrite values below
> (ldapServer)? I guess not ...
> Any help here is highly welcome. I would like to document legal and
> intended configuration and behavior.
> Thanks in advance and greetings from Hamburg,
>     Stefan

View raw message