[jira] Resolved: (DIREVE-283) If anonymous access is disabled, reading the Root DSE is forbidden by the server

Thu, 27 Oct 2005 17:06:19 -0700 

     [ http://issues.apache.org/jira/browse/DIREVE-283?page=all ]
     
Alex Karasulu resolved DIREVE-283:
----------------------------------

    Resolution: Fixed

Committed revision 328979 here:

http://svn.apache.org/viewcvs.cgi?rev=328979&view=rev


> If anonymous access is disabled, reading the Root DSE is forbidden by the 
> server
> --------------------------------------------------------------------------------
>
>          Key: DIREVE-283
>          URL: http://issues.apache.org/jira/browse/DIREVE-283
>      Project: Directory Server
>         Type: Bug
>     Reporter: Stefan Zoerner
>     Assignee: Alex Karasulu
>      Fix For: 0.9.3

>
> If anonymous access is disabled, i.e. configuration is 
>  <property name="allowAnonymousAccess"><value>false</value></property>
> a client which binds anonymously is not allowed to fetch any Root DSE data. 
> $ ldapsearch -b "" -s base -p 10389 "(objectclass=*)"
> ldap_simple_bind: Insufficient access
> It is expected that a client is at least able to read the attribute 
> supportedSASLMechanisms if connected anonymously. This is because s/he can 
> then decide which mechanism fits his/her needs best, before authentication. 
> Here is what RFC 2829 says:
> 5. Anonymous authentication
>    ...
>    LDAP implementations MUST support anonymous authentication, as
>    defined in section 5.1.
>    ...
>    While there MAY be access control restrictions to prevent access to
>    directory entries, an LDAP server SHOULD allow an anonymously-bound
>    client to retrieve the supportedSASLMechanisms attribute of the root
>    DSE.
>    ...
> It is quite normal, that LDAP servers present the other information 
> advertised in the Root DSE to anonymously connected clients as well (e.g. 
> supportedLDAPVersion, namingContexts), even if anonymous binds are not 
> allowed (e.g. default configuration of Active Directory).
> But it seems to be up to us, which information we give anonymously bind users 
> (except supportedSASLMechanisms), this is what RFC 2251 says:
> 3.4. Server-specific Data Requirements
>    An LDAP server MUST provide information about itself and other
>    information that is specific to each server.  This is represented as
>    a group of attributes located in the root DSE (DSA-Specific Entry),
>    which is named with the zero-length LDAPDN.  These attributes are
>    retrievable if a client performs a base object search of the root
>    with filter "(objectClass=*)", however they are subject to access
>    control restrictions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to