From dev-return-30714-apmail-directory-dev-archive=directory.apache.org@directory.apache.org Mon Jul 20 23:10:37 2009 Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 32196 invoked from network); 20 Jul 2009 23:10:35 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 20 Jul 2009 23:10:35 -0000 Received: (qmail 93031 invoked by uid 500); 20 Jul 2009 23:11:40 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 92960 invoked by uid 500); 20 Jul 2009 23:11:40 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 92952 invoked by uid 99); 20 Jul 2009 23:11:40 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Jul 2009 23:11:40 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Jul 2009 23:11:37 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 33B3929A0011 for ; Mon, 20 Jul 2009 16:11:16 -0700 (PDT) Message-ID: <1559619563.1248131476210.JavaMail.jira@brutus> Date: Mon, 20 Jul 2009 16:11:16 -0700 (PDT) From: "Emmanuel Lecharny (JIRA)" To: dev@directory.apache.org Subject: [jira] Commented: (DIRSERVER-1383) There is a confusion between Anonymous access and Access to rootDSE In-Reply-To: <2126456754.1248127994863.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/DIRSERVER-1383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12733393#action_12733393 ] Emmanuel Lecharny commented on DIRSERVER-1383: ---------------------------------------------- More specifically, in serverInteg tests, we should remove the following tests which don't make sense : - testSimpleBindNoUserNoPassword - testAnonymousRootDSE - testAnonymousBelowRootDSE - testDisableAnonymousBinds We also had a convo with Stefan Seelmann, and we agreed on the fact that having a flag for allowing anonymous access is just a speedup, compared to a solution based on ACI. The real way to allow or forbid anonymous access to the server is by using ACI. > There is a confusion between Anonymous access and Access to rootDSE > ------------------------------------------------------------------- > > Key: DIRSERVER-1383 > URL: https://issues.apache.org/jira/browse/DIRSERVER-1383 > Project: Directory ApacheDS > Issue Type: Bug > Affects Versions: 1.5.4 > Reporter: Emmanuel Lecharny > Priority: Critical > Fix For: 1.5.5 > > > The way the Anonymous authenticator is written makes it possible to be bound and read the rootDSE even if anonymous access is disabled on the server : > public LdapPrincipal authenticate( BindOperationContext opContext ) throws NamingException > { > // We only allow Anonymous binds if the service allows them _or_ > // if the user wants to bind on the rootDSE > if ( getDirectoryService().isAllowAnonymousAccess() || opContext.getDn().isEmpty() ) <=== here !! > { > return LdapPrincipal.ANONYMOUS; > So an anonymous bind will always be accepted, as it will be identified as a bind to the rootDSE (the DN is empty when doing an anonymous bind). > So you *always* have access to the server even if the alowedAnonymousAccess flag is set to false !!! > Bad ... -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.