directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@apache.org>
Subject Re: [jira] Created: (DIRSERVER-1169) Access control don't apply to the rootDSE
Date Tue, 06 May 2008 13:23:03 GMT
Alex Karasulu wrote:
> No need to quote the RFC with me, I know that it can be subject to 
> access control - read my question.  
Sorry, I misunderstood your question, not intended to make you feel like 
you don't know the RFC.
> You know of situations when it is actually set to anything but 
> read-only by everyone?
When you use HTTPd, you usually mask the version and name just for 
security reasons (if you know which version you are connected too, you 
can use the knowns security issues the specific version has to attack 
the server).

I don't know if this is a strong enough use case anyway. Let say that 
this JIRA is pretty much a 'non conformance to the spec'  JIRA.

I can downgrade it to Improvement, instead of 'bug'.

Not a big deal, really !
>
> Alex
>
> On Tue, May 6, 2008 at 1:04 AM, Emmanuel Lecharny 
> <elecharny@apache.org <mailto:elecharny@apache.org>> wrote:
>
>     Alex Karasulu wrote:
>
>         This is because the RootDSE is usually bare so applications
>         can perform discovery but some servers might want to protect
>         it.  Know of any situation when the RootDSE could be hidden?
>
>     RFC 4512 :
>
>     5.1.  Server-Specific Data Requirements
>
>      An LDAP server SHALL provide information about itself and other
>      information that is specific to each server.  This is represented as
>      a group of attributes located in the root DSE, which is named with
>      the DN with zero RDNs (whose [RFC4514] representation is as the
>      zero-length string).
>
>      These attributes are retrievable, _subject to access control_ and
>     other
>      restrictions, if a client performs a Search operation [RFC4511] with
>      an empty baseObject, scope of baseObject, the
>     filter"(objectClass=*)"  [RFC4515], and the attributes field
>     listing the
>      names of the desired attributes.
>
>
>     -- 
>     --
>     cordialement, regards,
>     Emmanuel L├ęcharny
>     www.iktek.com <http://www.iktek.com>
>     directory.apache.org <http://directory.apache.org>
>
>
>


-- 
--
cordialement, regards,
Emmanuel L├ęcharny
www.iktek.com
directory.apache.org



Mime
View raw message