directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@gmail.com>
Subject Re: [jira] Created: (DIRSERVER-1383) There is a confusion between Anonymous access and Access to rootDSE
Date Tue, 21 Jul 2009 00:30:53 GMT
You're supposed to allow annonymous binds to the RootDSE even when anon
binds are disabled.  This is because RootDSE access is required always to
discover how to auth in the first place.
Alex

On Mon, Jul 20, 2009 at 6:13 PM, Emmanuel Lecharny (JIRA)
<jira@apache.org>wrote:

> There is a confusion between Anonymous access and Access to rootDSE
> -------------------------------------------------------------------
>
>                 Key: DIRSERVER-1383
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1383
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 1.5.4
>            Reporter: Emmanuel Lecharny
>            Priority: Critical
>             Fix For: 1.5.5
>
>
> The way the Anonymous authenticator is written makes it possible to be
> bound and read the rootDSE even if anonymous access is disabled on the
> server :
>
>    public LdapPrincipal authenticate( BindOperationContext opContext )
> throws NamingException
>    {
>        // We only allow Anonymous binds if the service allows them _or_
>        // if the user wants to bind on the rootDSE
>        if ( getDirectoryService().isAllowAnonymousAccess() ||
> opContext.getDn().isEmpty() )  <=== here !!
>        {
>            return LdapPrincipal.ANONYMOUS;
>
> So an anonymous bind will always be accepted, as it will be identified as a
> bind to the rootDSE (the DN is empty when doing an anonymous bind).
>
> So you *always* have access to the server even if the alowedAnonymousAccess
> flag  is set to false !!!
>
> Bad ...
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>


-- 
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org

Mime
View raw message