directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Willeke <...@willeke.com>
Subject Re: DS M16 and Studio M2
Date Tue, 25 Mar 2014 16:35:49 GMT
Does not say anything about "Admins" being the only ones to be able to
retrieve the values.

Only that they should be returned only as operational attributes would be.

How else would a client know the capabilities of the server?
ᐧ

--
-jim
Jim Willeke


On Tue, Mar 25, 2014 at 11:57 AM, Emmanuel Lécharny <elecharny@gmail.com>wrote:

> Le 3/25/14 4:29 PM, Pierre Smits a écrit :
> > Hi All,
> >
> > Shouldn't it be so that others than the identified ApacheDs
> administrators
> > (like uid=admin,ou=system) shouldn't be able to see the attributes of the
> > Root DSE? When I use Apache Studio M2 v2.0.0.v20130628, any user can see
> > details all the naming context (including those not of his partition and
> > supportedSASLMechanisms).
> >
> > I would say that this shouldn't be happening, as it could be a security
> > risk.
> >
> > What do you think?
>
> Agreed. RFC 4512, part 5.1 says so anyway :
>
> http://tools.ietf.org/html/rfc4512
>
>
>       5.1 <http://tools.ietf.org/html/rfc4512#section-5.1>.
>       Server-Specific Data Requirements
>
>
>
>    An LDAP server SHALL provide information about itself and other
>    information that is specific to each server.  This is represented as
>    a group of attributes located in the root DSE, which is named with
>    the DN with zero RDNs (whose [RFC4514 <
> http://tools.ietf.org/html/rfc4514>] representation is as the
>    zero-length string).
>
>    These attributes are retrievable, subject to access control and other
>    restrictions, if a client performs a Search operation [RFC4511 <
> http://tools.ietf.org/html/rfc4511>] with
>    an empty baseObject, scope of baseObject, the filter
>    "(objectClass=*)" [RFC4515 <http://tools.ietf.org/html/rfc4515>], and
> the attributes field listing the
>    names of the desired attributes.  It is noted that root DSE
>    attributes are operational and, like other operational attributes,
>    are not returned in search requests unless requested by name.
>
>
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message