directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: DS M16 and Studio M2
Date Tue, 25 Mar 2014 15:57:28 GMT
Le 3/25/14 4:29 PM, Pierre Smits a écrit :
> Hi All,
> Shouldn't it be so that others than the identified ApacheDs administrators
> (like uid=admin,ou=system) shouldn't be able to see the attributes of the
> Root DSE? When I use Apache Studio M2 v2.0.0.v20130628, any user can see
> details all the naming context (including those not of his partition and
> supportedSASLMechanisms).
> I would say that this shouldn't be happening, as it could be a security
> risk.
> What do you think?

Agreed. RFC 4512, part 5.1 says so anyway :

      5.1 <>.
      Server-Specific Data Requirements

   An LDAP server SHALL provide information about itself and other
   information that is specific to each server.  This is represented as
   a group of attributes located in the root DSE, which is named with
   the DN with zero RDNs (whose [RFC4514 <>] representation
is as the
   zero-length string).

   These attributes are retrievable, subject to access control and other
   restrictions, if a client performs a Search operation [RFC4511 <>]
   an empty baseObject, scope of baseObject, the filter
   "(objectClass=*)" [RFC4515 <>], and the attributes
field listing the
   names of the desired attributes.  It is noted that root DSE
   attributes are operational and, like other operational attributes,
   are not returned in search requests unless requested by name.

Emmanuel Lécharny 

View raw message