Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 95ABE6B39 for ; Tue, 12 Jul 2011 08:01:35 +0000 (UTC) Received: (qmail 72841 invoked by uid 500); 12 Jul 2011 08:01:34 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 72593 invoked by uid 500); 12 Jul 2011 08:01:29 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 71095 invoked by uid 99); 12 Jul 2011 08:01:25 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Jul 2011 08:01:25 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of akarasulu@gmail.com designates 74.125.82.44 as permitted sender) Received: from [74.125.82.44] (HELO mail-ww0-f44.google.com) (74.125.82.44) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Jul 2011 08:01:17 +0000 Received: by wwe5 with SMTP id 5so4668503wwe.1 for ; Tue, 12 Jul 2011 01:00:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=l+yM0cfEvMRp7mQSVYVZUdRvPRFc/50yxyi5uSffk5I=; b=Xw2Hd1x8JhzWOky7aYD7yFP4RqOni15paKyuqsy9wRTVyOYT7os1HaHMxdYeWuK0jH JdviifF+etnFO4qOyrE/7/nJS0d0sRJOBklXChV9rJAy346pjevlWdUH6QQjhpDlFK1G FFfNNhItIrT3FcW3m3ovHMGFX/Jnsr8yZVQh4= MIME-Version: 1.0 Received: by 10.216.169.16 with SMTP id m16mr3869325wel.83.1310457657346; Tue, 12 Jul 2011 01:00:57 -0700 (PDT) Sender: akarasulu@gmail.com Received: by 10.216.13.74 with HTTP; Tue, 12 Jul 2011 01:00:57 -0700 (PDT) In-Reply-To: <4E1BF814.2030904@gmail.com> References: <20110710212302.D0D4C23888FE@eris.apache.org> <4E1A9E6F.5020107@gmail.com> <4E1BE163.2030501@apache.org> <4E1BF814.2030904@gmail.com> Date: Tue, 12 Jul 2011 11:00:57 +0300 X-Google-Sender-Auth: WFDGIitgXG7wSZig0oZhmlAt7rY Message-ID: Subject: Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java From: Alex Karasulu To: Apache Directory Developers List , elecharny@apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Tue, Jul 12, 2011 at 10:30 AM, Emmanuel Lecharny w= rote: > On 7/12/11 9:19 AM, Alex Karasulu wrote: >>> >>> =A0rather than >>> >>> this.session =3D directoryService.getAdminSession(); in >>> setDirectoryService()) >>> >>> what we already know is that DS is available and user/app can do >>> anything if has got access to, but more important is >>> the usage from an app developer's POV, if I have a web app that allows >>> users to connect to the server using LdapCoreSessionConnection >>> then assigning admin session by default during initialization will be >>> a serious security issue. >> >> LDAP applications rarely align their authorization schema with LDAP >> security. Most applications just connect as admin and handle lookups >> on behalf of their users. > > Yes. This is very true, and usually, because such apps are using a > connection pool. It's also safe as it's protected (well, suposely protect= ed) > by the application : one can't access to this part unless already > identified. Although I do think it's not necessarily a good idea, it's du= e > to the fact it's costly to establish a physical connection. Now, one can > still use an already existing connection, and bind with a different user, > instead of using an admin session... Misconceptions are always spread ver= y > quickly, and are hard to fix... >> >> But I think you and Emmanuel both make a good case here. We need to >> solve this better since some applications like the self service >> applications we've spoken about writing might use direct LDAP >> security. However I think we don't just go with an anonymous session >> or a admin session. We need a means to make this decision better. > > LDAP specify that you can do operation without being bound, and in this > case, the session will be anonymous. Defaulting to anonymous is then pret= ty > natural. Now, you may have something different in mind, can you elaborate= ? > (Of course, the server might reject such operations done on a anonymous > session, and I can see that as a major issue if we default to anonymous) You're right we should either go anonymous or take the approach below which IMO is better. See below... >> >> We should require a bind to set the exact session. > > That's an option : if the server reject anonymous operations, then > obviously, the user *must* bind. I would say that it *should* be the defa= ult > mode... So you're saying allow anonymous then if there is a failure then allow user to bind? Or by default force the user to bind? Alex