directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@apache.org>
Subject Re: [jira] Created: (DIRSERVER-1383) There is a confusion between Anonymous access and Access to rootDSE
Date Tue, 21 Jul 2009 08:24:05 GMT
Stefan Zoerner wrote:
> Quanah Gibson-Mount wrote:
>> --On Monday, July 20, 2009 9:50 PM -0400 Alex Karasulu 
>> <akarasulu@gmail.com> wrote:
>>
>>> Ahhh okie you're right on.  My bad.
>>
>> This is quite correct.  There are even some (stupid) security 
>> programs that will say being able to read the rootDSE is a 
>> vulnerability.  OTOH, I've always left it read to the world, most 
>> clients prefer it. :P
>>
>
> There are also tests within the Open Group LDAP certification suite 
> which check whether the Root DSE is readable anonymously. But it is 
> OK, if we are able to configure a server to behave like that for a 
> test run. No need to make that the default.

Stefan, all what we need is a way to send a SearchRequest targetting the 
RootDSE without a previous Bindrequest. Not sure that JNDI alllows such 
operation.

As soon as we can read rootDSE without being bound, then we are golden, 
as the way we protect the rest of the entries is different.

Also, the RFC states that the rootDSE *may* be protected, which does not 
mean it should be. And I think, as Quanah, that it does not make a lot 
of sense to protect it, unless you want to get numerous mails on the 
users mailing list about the unavailable rootDSE ;)

Thanks Stefan !


-- 
--
cordialement, regards,
Emmanuel L├ęcharny
www.iktek.com
directory.apache.org



Mime
View raw message