[ http://issues.apache.org/jira/browse/DIRSERVER-360?page=all ]
Stefan Zoerner closed DIRSERVER-360. ------------------------------------ This has been fixed a long time ago, I have just retested it with the current 1.0 build. Thus I close the issue. > If anonymous access is disabled, reading the Root DSE is forbidden by the > server > -------------------------------------------------------------------------------- > > Key: DIRSERVER-360 > URL: http://issues.apache.org/jira/browse/DIRSERVER-360 > Project: Directory ApacheDS > Issue Type: Bug > Reporter: Stefan Zoerner > Assigned To: Alex Karasulu > > If anonymous access is disabled, i.e. configuration is > <property name="allowAnonymousAccess"><value>false</value></property> > a client which binds anonymously is not allowed to fetch any Root DSE data. > $ ldapsearch -b "" -s base -p 10389 "(objectclass=*)" > ldap_simple_bind: Insufficient access > It is expected that a client is at least able to read the attribute > supportedSASLMechanisms if connected anonymously. This is because s/he can > then decide which mechanism fits his/her needs best, before authentication. > Here is what RFC 2829 says: > 5. Anonymous authentication > ... > LDAP implementations MUST support anonymous authentication, as > defined in section 5.1. > ... > While there MAY be access control restrictions to prevent access to > directory entries, an LDAP server SHOULD allow an anonymously-bound > client to retrieve the supportedSASLMechanisms attribute of the root > DSE. > ... > It is quite normal, that LDAP servers present the other information > advertised in the Root DSE to anonymously connected clients as well (e.g. > supportedLDAPVersion, namingContexts), even if anonymous binds are not > allowed (e.g. default configuration of Active Directory). > But it seems to be up to us, which information we give anonymously bind users > (except supportedSASLMechanisms), this is what RFC 2251 says: > 3.4. Server-specific Data Requirements > An LDAP server MUST provide information about itself and other > information that is specific to each server. This is represented as > a group of attributes located in the root DSE (DSA-Specific Entry), > which is named with the zero-length LDAPDN. These attributes are > retrievable if a client performs a base object search of the root > with filter "(objectClass=*)", however they are subject to access > control restrictions. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
