directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Created: (DIRSERVER-1383) There is a confusion between Anonymous access and Access to rootDSE
Date Mon, 20 Jul 2009 22:13:14 GMT
There is a confusion between Anonymous access and Access to rootDSE
-------------------------------------------------------------------

                 Key: DIRSERVER-1383
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1383
             Project: Directory ApacheDS
          Issue Type: Bug
    Affects Versions: 1.5.4
            Reporter: Emmanuel Lecharny
            Priority: Critical
             Fix For: 1.5.5


The way the Anonymous authenticator is written makes it possible to be bound and read the
rootDSE even if anonymous access is disabled on the server :

    public LdapPrincipal authenticate( BindOperationContext opContext ) throws NamingException
    {
        // We only allow Anonymous binds if the service allows them _or_
        // if the user wants to bind on the rootDSE
        if ( getDirectoryService().isAllowAnonymousAccess() || opContext.getDn().isEmpty()
)  <=== here !!
        {
            return LdapPrincipal.ANONYMOUS;

So an anonymous bind will always be accepted, as it will be identified as a bind to the rootDSE
(the DN is empty when doing an anonymous bind).

So you *always* have access to the server even if the alowedAnonymousAccess flag  is set to
false !!!

Bad ...

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message