Return-Path: 
 <dev-return-30722-apmail-directory-dev-archive=directory.apache.org@directory.apache.org>
Delivered-To: apmail-directory-dev-archive@www.apache.org
Received: (qmail 10350 invoked from network); 21 Jul 2009 08:23:33 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 21 Jul 2009 08:23:33 -0000
Received: (qmail 32218 invoked by uid 500); 21 Jul 2009 08:24:38 -0000
Delivered-To: apmail-directory-dev-archive@directory.apache.org
Received: (qmail 32122 invoked by uid 500); 21 Jul 2009 08:24:38 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 32114 invoked by uid 99); 21 Jul 2009 08:24:38 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Jul 2009 08:24:38 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of elecharny@gmail.com
 designates 209.85.219.225 as permitted sender)
Received: from [209.85.219.225] (HELO mail-ew0-f225.google.com)
 (209.85.219.225)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Jul 2009 08:24:28 +0000
Received: by ewy25 with SMTP id 25so2894904ewy.25
        for <dev@directory.apache.org>; Tue, 21 Jul 2009 01:24:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:sender:message-id:date:from
         :user-agent:mime-version:to:subject:references:in-reply-to
         :content-type:content-transfer-encoding;
        bh=tr2cXeHiXvDZ9e8KQ1n6gefZmBVx2iIkY+WFiXC6DNk=;
        b=aazndgf1fKpjUyNS1L+WpOlnVo6dSomt2YXZBJPg5OvO+LavtczpX5mAmntBBhX4Mn
         jMtnWZynrtKhO5eCqTzUK4Xi3l3BdL1IPRTCX4fL2CFOXtvponpmB0X3XcWT63Pr9ADj
         8lX1El2I/kspT0udDMc8JCYDTQaxiwj4WIU1U=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=sender:message-id:date:from:user-agent:mime-version:to:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        b=cwQnswXUxVpbZfKnnsubn1YGQiy2VYsV52vXBq3fY5czzmk8Y4vUZfnol5kowGUgp9
         /QAqwGFKhovuEFuzW9NjKOGTw+jhVrQ/TvpzFMriYBUKeLkTi2KhAqhzwso0A3hulGFk
         C53bigHGnYN0aDVXEqf1N9IAAoQB/BfFKSepk=
Received: by 10.210.60.8 with SMTP id i8mr3432358eba.55.1248164647348;
        Tue, 21 Jul 2009 01:24:07 -0700 (PDT)
Received: from ?192.168.0.51? (vol75-3-82-66-216-176.fbx.proxad.net
 [82.66.216.176])
        by mx.google.com with ESMTPS id 28sm745632eyg.52.2009.07.21.01.24.06
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Tue, 21 Jul 2009 01:24:06 -0700 (PDT)
Sender: Emmanuel Lecharny <elecharny@gmail.com>
Message-ID: <4A657B25.5090602@nextury.com>
Date: Tue, 21 Jul 2009 10:24:05 +0200
From: Emmanuel Lecharny <elecharny@apache.org>
User-Agent: Thunderbird 2.0.0.22 (X11/20090608)
MIME-Version: 1.0
To: Apache Directory Developers List <dev@directory.apache.org>
Subject: Re: [jira] Created: (DIRSERVER-1383) There is a confusion between
 	Anonymous access and Access to rootDSE
References: <2126456754.1248127994863.JavaMail.jira@brutus>
	 <a32f6b020907201730k971c946ua032a5a7ded02972@mail.gmail.com>
	 <4A650D1F.4000102@nextury.com>
 <a32f6b020907201850x20f91099q956c380d3f337be7@mail.gmail.com>
 <D3A1D531F8B259F13459F86A@[192.168.1.199]> <4A655F94.8040109@labeo.de>
In-Reply-To: <4A655F94.8040109@labeo.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Virus-Checked: Checked by ClamAV on apache.org

Stefan Zoerner wrote:
> Quanah Gibson-Mount wrote:
>> --On Monday, July 20, 2009 9:50 PM -0400 Alex Karasulu 
>> <akarasulu@gmail.com> wrote:
>>
>>> Ahhh okie you're right on.  My bad.
>>
>> This is quite correct.  There are even some (stupid) security 
>> programs that will say being able to read the rootDSE is a 
>> vulnerability.  OTOH, I've always left it read to the world, most 
>> clients prefer it. :P
>>
>
> There are also tests within the Open Group LDAP certification suite 
> which check whether the Root DSE is readable anonymously. But it is 
> OK, if we are able to configure a server to behave like that for a 
> test run. No need to make that the default.

Stefan, all what we need is a way to send a SearchRequest targetting the 
RootDSE without a previous Bindrequest. Not sure that JNDI alllows such 
operation.

As soon as we can read rootDSE without being bound, then we are golden, 
as the way we protect the rest of the entries is different.

Also, the RFC states that the rootDSE *may* be protected, which does not 
mean it should be. And I think, as Quanah, that it does not make a lot 
of sense to protect it, unless you want to get numerous mails on the 
users mailing list about the unavailable rootDSE ;)

Thanks Stefan !


-- 
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org