Stefan,

There are different levels at which anonymous access is controlled depending on how an anonymous user comes into the system.  At a bare minimum in embedded mode the authentication interceptor needs some configuration on how to handle users that are anonymous.  Then if LDAP access is enabled over the wire then this configuration information is needed by the protocol services as well.  I guess this can be extracted from the directory service but some times there may need to be some override - don't remember exactly.

What I want to do is finish up a few things in this second phase that effects how authentication may be done and review the authentication interceptor and this configuration stuff.  Something here is not right and I have not had the time to really sit down and figure it all out.

Perhaps we should just suspend this one parameter's documentation until these issues are clearly resolved or understood?

Thanks,
Alex

On Dec 30, 2007 9:13 AM, Stefan Zoerner < stefan@labeo.de> wrote:
Hi all,

currently I rework the Basic User's Guide in cwiki for the upcoming 2.0
 version of ApacheDS.

Let me first say that the new configuration file server.xml with the
xbean stuff is much clearer and therefore also easier to document against.

During configuration of authentication option for chapter 3.1 ("Basic
Security -- Authentication options") I faced a problem with the
attribute allowAnonymousAccess.

It is allowed in three elements in server.xml (and used in all of them
in the default file which comes with the installer as well):

(1) apacheDS

  <apacheDS id="apacheDS"
            synchPeriodMillis="15000"
            allowAnonymousAccess="false">
   ...

(2) defaultDirectoryService

  <defaultDirectoryService id="directoryService" instanceId="default"
                           workingDirectory="example.com"
                           allowAnonymousAccess="false"
   ...

(3) <ldapServer id="ldapServer"
              ipPort="10389"
              allowAnonymousAccess="false"
   ...

I am not really sure, which combinations of true and false values in
these areas are valid, and which behavior they should show.

For instance it is sufficient to enable anonymous access on the apacheDS
level (allowAnonymousAccess="true"), all other elements can still remain
false, but anonymous binds work.

Does a configuration on a higher level (apacheDS) overwrite values below
(ldapServer)? I guess not ...

Any help here is highly welcome. I would like to document legal and
intended configuration and behavior.

Thanks in advance and greetings from Hamburg,
    Stefan