directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@apache.org>
Subject Re: [jira] Created: (DIRSERVER-1383) There is a confusion between Anonymous access and Access to rootDSE
Date Tue, 21 Jul 2009 08:20:10 GMT
Quanah Gibson-Mount wrote:
> --On Monday, July 20, 2009 9:50 PM -0400 Alex Karasulu 
> <akarasulu@gmail.com> wrote:
>
>> Ahhh okie you're right on.  My bad.
>
> This is quite correct.  There are even some (stupid) security programs 
> that will say being able to read the rootDSE is a vulnerability.  
> OTOH, I've always left it read to the world, most clients prefer it. :P
here, the problem is much more serious : it's the Bind operation which 
is faulty, allowing an anonymous bind even if not allowed... Everything 
else is pure theory, and if we stick to the RFC, even the rootDSE could 
be read protected.

Anyway, the Bind issue must be fixed. We have tests which wrongly assume 
that we *must* be able to read rootDSE as anonymous even if the 
allowAnonymousAccess flag is set to 'false', just because we didn't do 
the right thing : do a search on rootDSE entry *without* a previous 
bind. I'm not sure you can do that using JDNI (doing a search without 
issuing a BindRequest first).

-- 
--
cordialement, regards,
Emmanuel L├ęcharny
www.iktek.com
directory.apache.org



Mime
View raw message