directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Assigned: (DIRSERVER-1383) There is a confusion between Anonymous access and Access to rootDSE
Date Tue, 21 Jul 2009 22:07:14 GMT

     [ https://issues.apache.org/jira/browse/DIRSERVER-1383?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Emmanuel Lecharny reassigned DIRSERVER-1383:
--------------------------------------------

    Assignee: Emmanuel Lecharny

> There is a confusion between Anonymous access and Access to rootDSE
> -------------------------------------------------------------------
>
>                 Key: DIRSERVER-1383
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1383
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 1.5.4
>            Reporter: Emmanuel Lecharny
>            Assignee: Emmanuel Lecharny
>            Priority: Critical
>             Fix For: 1.5.5
>
>
> The way the Anonymous authenticator is written makes it possible to be bound and read
the rootDSE even if anonymous access is disabled on the server :
>     public LdapPrincipal authenticate( BindOperationContext opContext ) throws NamingException
>     {
>         // We only allow Anonymous binds if the service allows them _or_
>         // if the user wants to bind on the rootDSE
>         if ( getDirectoryService().isAllowAnonymousAccess() || opContext.getDn().isEmpty()
)  <=== here !!
>         {
>             return LdapPrincipal.ANONYMOUS;
> So an anonymous bind will always be accepted, as it will be identified as a bind to the
rootDSE (the DN is empty when doing an anonymous bind).
> So you *always* have access to the server even if the alowedAnonymousAccess flag  is
set to false !!!
> Bad ...

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message