directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <>
Subject [jira] Commented: (DIRSERVER-1383) There is a confusion between Anonymous access and Access to rootDSE
Date Mon, 20 Jul 2009 23:11:16 GMT


Emmanuel Lecharny commented on DIRSERVER-1383:

More specifically, in serverInteg tests, we should remove the following tests which don't
make sense :
- testSimpleBindNoUserNoPassword
- testAnonymousRootDSE
- testAnonymousBelowRootDSE
- testDisableAnonymousBinds

We also had a convo with Stefan Seelmann, and we agreed on the fact that having a flag for
allowing anonymous access is just a speedup, compared to a solution based on ACI. The real
way to allow or forbid anonymous access to the server is by using ACI.

> There is a confusion between Anonymous access and Access to rootDSE
> -------------------------------------------------------------------
>                 Key: DIRSERVER-1383
>                 URL:
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 1.5.4
>            Reporter: Emmanuel Lecharny
>            Priority: Critical
>             Fix For: 1.5.5
> The way the Anonymous authenticator is written makes it possible to be bound and read
the rootDSE even if anonymous access is disabled on the server :
>     public LdapPrincipal authenticate( BindOperationContext opContext ) throws NamingException
>     {
>         // We only allow Anonymous binds if the service allows them _or_
>         // if the user wants to bind on the rootDSE
>         if ( getDirectoryService().isAllowAnonymousAccess() || opContext.getDn().isEmpty()
)  <=== here !!
>         {
>             return LdapPrincipal.ANONYMOUS;
> So an anonymous bind will always be accepted, as it will be identified as a bind to the
rootDSE (the DN is empty when doing an anonymous bind).
> So you *always* have access to the server even if the alowedAnonymousAccess flag  is
set to false !!!
> Bad ...

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message