Stefan Zoerner wrote:
> Quanah Gibson-Mount wrote:
>> --On Monday, July 20, 2009 9:50 PM -0400 Alex Karasulu
>> <akarasulu@gmail.com> wrote:
>>
>>> Ahhh okie you're right on. My bad.
>>
>> This is quite correct. There are even some (stupid) security
>> programs that will say being able to read the rootDSE is a
>> vulnerability. OTOH, I've always left it read to the world, most
>> clients prefer it. :P
>>
>
> There are also tests within the Open Group LDAP certification suite
> which check whether the Root DSE is readable anonymously. But it is
> OK, if we are able to configure a server to behave like that for a
> test run. No need to make that the default.
Stefan, all what we need is a way to send a SearchRequest targetting the
RootDSE without a previous Bindrequest. Not sure that JNDI alllows such
operation.
As soon as we can read rootDSE without being bound, then we are golden,
as the way we protect the rest of the entries is different.
Also, the RFC states that the rootDSE *may* be protected, which does not
mean it should be. And I think, as Quanah, that it does not make a lot
of sense to protect it, unless you want to get numerous mails on the
users mailing list about the unavailable rootDSE ;)
Thanks Stefan !
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
|