[ http://issues.apache.org/jira/browse/DIREVE-283?page=all ]
Alex Karasulu resolved DIREVE-283:
----------------------------------
Resolution: Fixed
Resolved this on commit # 328138 here:
http://svn.apache.org/viewcvs.cgi?view=rev&rev=328138
Stephan please do me a favor and test these changes out for me. I did write a
test case but these fixes are less than optimal. They're more a hack. The p-p
for LDAP needs to be refactored heavily ... its a mess right now so I don't
trust the fixes.
> If anonymous access is disabled, reading the Root DSE is forbidden by the
> server
> --------------------------------------------------------------------------------
>
> Key: DIREVE-283
> URL: http://issues.apache.org/jira/browse/DIREVE-283
> Project: Directory Server
> Type: Bug
> Reporter: Stefan Zoerner
> Assignee: Alex Karasulu
> Fix For: 0.9.3
>
> If anonymous access is disabled, i.e. configuration is
> <property name="allowAnonymousAccess"><value>false</value></property>
> a client which binds anonymously is not allowed to fetch any Root DSE data.
> $ ldapsearch -b "" -s base -p 10389 "(objectclass=*)"
> ldap_simple_bind: Insufficient access
> It is expected that a client is at least able to read the attribute
> supportedSASLMechanisms if connected anonymously. This is because s/he can
> then decide which mechanism fits his/her needs best, before authentication.
> Here is what RFC 2829 says:
> 5. Anonymous authentication
> ...
> LDAP implementations MUST support anonymous authentication, as
> defined in section 5.1.
> ...
> While there MAY be access control restrictions to prevent access to
> directory entries, an LDAP server SHOULD allow an anonymously-bound
> client to retrieve the supportedSASLMechanisms attribute of the root
> DSE.
> ...
> It is quite normal, that LDAP servers present the other information
> advertised in the Root DSE to anonymously connected clients as well (e.g.
> supportedLDAPVersion, namingContexts), even if anonymous binds are not
> allowed (e.g. default configuration of Active Directory).
> But it seems to be up to us, which information we give anonymously bind users
> (except supportedSASLMechanisms), this is what RFC 2251 says:
> 3.4. Server-specific Data Requirements
> An LDAP server MUST provide information about itself and other
> information that is specific to each server. This is represented as
> a group of attributes located in the root DSE (DSA-Specific Entry),
> which is named with the zero-length LDAPDN. These attributes are
> retrievable if a client performs a base object search of the root
> with filter "(objectClass=*)", however they are subject to access
> control restrictions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
