You're supposed to allow annonymous binds to the RootDSE even when anon binds are disabled.  This is because RootDSE access is required always to discover how to auth in the first place.

Alex

On Mon, Jul 20, 2009 at 6:13 PM, Emmanuel Lecharny (JIRA) <jira@apache.org> wrote:
There is a confusion between Anonymous access and Access to rootDSE
-------------------------------------------------------------------

                Key: DIRSERVER-1383
                URL: https://issues.apache.org/jira/browse/DIRSERVER-1383
            Project: Directory ApacheDS
         Issue Type: Bug
   Affects Versions: 1.5.4
           Reporter: Emmanuel Lecharny
           Priority: Critical
            Fix For: 1.5.5


The way the Anonymous authenticator is written makes it possible to be bound and read the rootDSE even if anonymous access is disabled on the server :

   public LdapPrincipal authenticate( BindOperationContext opContext ) throws NamingException
   {
       // We only allow Anonymous binds if the service allows them _or_
       // if the user wants to bind on the rootDSE
       if ( getDirectoryService().isAllowAnonymousAccess() || opContext.getDn().isEmpty() )  <=== here !!
       {
           return LdapPrincipal.ANONYMOUS;

So an anonymous bind will always be accepted, as it will be identified as a bind to the rootDSE (the DN is empty when doing an anonymous bind).

So you *always* have access to the server even if the alowedAnonymousAccess flag  is set to false !!!

Bad ...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.




--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org