Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Received-SPF: pass (nike.apache.org: domain of akarasulu@gmail.com designates
 209.85.210.180 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        b=hlxEoKwyy+xewRKEZzom6Kc3M0+/IoM5+6ZvDal+Ka4JNfcnmWNEgw3coxsu/o+d4m
         ClpK0TKA4Zni3cAdHnj96yCuKpPgT0LfxWQz4KiEnPGxQubyDup0U4Y8v0CYDlg6eoZD
         N7mmOkeX5WnywqIu8FzzfhbjRXOX27Cf/EN1k=
MIME-Version: 1.0
In-Reply-To: <2126456754.1248127994863.JavaMail.jira@brutus>
References: <2126456754.1248127994863.JavaMail.jira@brutus>
Date: Mon, 20 Jul 2009 20:30:53 -0400
Message-ID: <a32f6b020907201730k971c946ua032a5a7ded02972@mail.gmail.com>
Subject: Re: [jira] Created: (DIRSERVER-1383) There is a confusion between
	Anonymous access and Access to rootDSE
From: Alex Karasulu <akarasulu@gmail.com>
To: Apache Directory Developers List <dev@directory.apache.org>
Content-Type: multipart/alternative; boundary=0022152d5cf90d2cb1046f2c5e2f

--0022152d5cf90d2cb1046f2c5e2f
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

You're supposed to allow annonymous binds to the RootDSE even when anon
binds are disabled.  This is because RootDSE access is required always to
discover how to auth in the first place.
Alex

On Mon, Jul 20, 2009 at 6:13 PM, Emmanuel Lecharny (JIRA)
<jira@apache.org>wrote:

> There is a confusion between Anonymous access and Access to rootDSE
> -------------------------------------------------------------------
>
>                 Key: DIRSERVER-1383
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1383
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 1.5.4
>            Reporter: Emmanuel Lecharny
>            Priority: Critical
>             Fix For: 1.5.5
>
>
> The way the Anonymous authenticator is written makes it possible to be
> bound and read the rootDSE even if anonymous access is disabled on the
> server :
>
>    public LdapPrincipal authenticate( BindOperationContext opContext )
> throws NamingException
>    {
>        // We only allow Anonymous binds if the service allows them _or_
>        // if the user wants to bind on the rootDSE
>        if ( getDirectoryService().isAllowAnonymousAccess() ||
> opContext.getDn().isEmpty() )  <=== here !!
>        {
>            return LdapPrincipal.ANONYMOUS;
>
> So an anonymous bind will always be accepted, as it will be identified as a
> bind to the rootDSE (the DN is empty when doing an anonymous bind).
>
> So you *always* have access to the server even if the alowedAnonymousAccess
> flag  is set to false !!!
>
> Bad ...
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>


-- 
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org

--0022152d5cf90d2cb1046f2c5e2f
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

You&#39;re supposed to allow annonymous binds to the RootDSE even when anon=
 binds are disabled. =A0This is because RootDSE access is required always t=
o discover how to auth in the first place.<div><br></div><div>Alex<br><br>
<div class=3D"gmail_quote">On Mon, Jul 20, 2009 at 6:13 PM, Emmanuel Lechar=
ny (JIRA) <span dir=3D"ltr">&lt;<a href=3D"mailto:jira@apache.org">jira@apa=
che.org</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D=
"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
There is a confusion between Anonymous access and Access to rootDSE<br>
-------------------------------------------------------------------<br>
<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Key: DIRSERVER-1383<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 URL: <a href=3D"https://issues.apache.org/=
jira/browse/DIRSERVER-1383" target=3D"_blank">https://issues.apache.org/jir=
a/browse/DIRSERVER-1383</a><br>
 =A0 =A0 =A0 =A0 =A0 =A0 Project: Directory ApacheDS<br>
 =A0 =A0 =A0 =A0 =A0Issue Type: Bug<br>
 =A0 =A0Affects Versions: 1.5.4<br>
 =A0 =A0 =A0 =A0 =A0 =A0Reporter: Emmanuel Lecharny<br>
 =A0 =A0 =A0 =A0 =A0 =A0Priority: Critical<br>
 =A0 =A0 =A0 =A0 =A0 =A0 Fix For: 1.5.5<br>
<br>
<br>
The way the Anonymous authenticator is written makes it possible to be boun=
d and read the rootDSE even if anonymous access is disabled on the server :=
<br>
<br>
 =A0 =A0public LdapPrincipal authenticate( BindOperationContext opContext )=
 throws NamingException<br>
 =A0 =A0{<br>
 =A0 =A0 =A0 =A0// We only allow Anonymous binds if the service allows them=
 _or_<br>
 =A0 =A0 =A0 =A0// if the user wants to bind on the rootDSE<br>
 =A0 =A0 =A0 =A0if ( getDirectoryService().isAllowAnonymousAccess() || opCo=
ntext.getDn().isEmpty() ) =A0&lt;=3D=3D=3D here !!<br>
 =A0 =A0 =A0 =A0{<br>
 =A0 =A0 =A0 =A0 =A0 =A0return LdapPrincipal.ANONYMOUS;<br>
<br>
So an anonymous bind will always be accepted, as it will be identified as a=
 bind to the rootDSE (the DN is empty when doing an anonymous bind).<br>
<br>
So you *always* have access to the server even if the alowedAnonymousAccess=
 flag =A0is set to false !!!<br>
<br>
Bad ...<br>
<font color=3D"#888888"><br>
--<br>
This message is automatically generated by JIRA.<br>
-<br>
You can reply to this email to add a comment to the issue online.<br>
<br>
</font></blockquote></div><br><br clear=3D"all"><br>-- <br>Alex Karasulu<br=
>My Blog :: <a href=3D"http://www.jroller.com/akarasulu/">http://www.jrolle=
r.com/akarasulu/</a><br>Apache Directory Server :: <a href=3D"http://direct=
ory.apache.org">http://directory.apache.org</a><br>
Apache MINA :: <a href=3D"http://mina.apache.org">http://mina.apache.org</a=
><br><br>
</div>

--0022152d5cf90d2cb1046f2c5e2f--