[jira] Created: (DIREVE-283) If anonymous access is disabled, reading the Root DSE is forbidden by the server

Sun, 23 Oct 2005 11:51:24 -0700 

If anonymous access is disabled, reading the Root DSE is forbidden by the server
--------------------------------------------------------------------------------

         Key: DIREVE-283
         URL: http://issues.apache.org/jira/browse/DIREVE-283
     Project: Directory Server
        Type: Bug
    Reporter: Stefan Zoerner
 Assigned to: Alex Karasulu 
     Fix For: 0.9.3


If anonymous access is disabled, i.e. configuration is 
 <property name="allowAnonymousAccess"><value>false</value></property>
a client which binds anonymously is not allowed to fetch any Root DSE data. 

$ ldapsearch -b "" -s base -p 10389 "(objectclass=*)"
ldap_simple_bind: Insufficient access

It is expected that a client is at least able to read the attribute 
supportedSASLMechanisms if connected anonymously. This is because s/he can then 
decide which mechanism fits his/her needs best, before authentication. Here is 
what RFC 2829 says:

5. Anonymous authentication
   ...
   LDAP implementations MUST support anonymous authentication, as
   defined in section 5.1.
   ...
   While there MAY be access control restrictions to prevent access to
   directory entries, an LDAP server SHOULD allow an anonymously-bound
   client to retrieve the supportedSASLMechanisms attribute of the root
   DSE.
   ...

It is quite normal, that LDAP servers present the other information advertised 
in the Root DSE to anonymously connected clients as well (e.g. 
supportedLDAPVersion, namingContexts), even if anonymous binds are not allowed 
(e.g. default configuration of Active Directory).

But it seems to be up to us, which information we give anonymously bind users 
(except supportedSASLMechanisms), this is what RFC 2251 says:

3.4. Server-specific Data Requirements

   An LDAP server MUST provide information about itself and other
   information that is specific to each server.  This is represented as
   a group of attributes located in the root DSE (DSA-Specific Entry),
   which is named with the zero-length LDAPDN.  These attributes are
   retrievable if a client performs a base object search of the root
   with filter "(objectClass=*)", however they are subject to access
   control restrictions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to