Stefan Zoerner wrote:
Quanah Gibson-Mount wrote:
--On Monday, July 20, 2009 9:50 PM -0400 Alex Karasulu
<[email protected]> wrote:
Ahhh okie you're right on. My bad.
This is quite correct. There are even some (stupid) security
programs that will say being able to read the rootDSE is a
vulnerability. OTOH, I've always left it read to the world, most
clients prefer it. :P
There are also tests within the Open Group LDAP certification suite
which check whether the Root DSE is readable anonymously. But it is
OK, if we are able to configure a server to behave like that for a
test run. No need to make that the default.
Stefan, all what we need is a way to send a SearchRequest targetting the
RootDSE without a previous Bindrequest. Not sure that JNDI alllows such
operation.
As soon as we can read rootDSE without being bound, then we are golden,
as the way we protect the rest of the entries is different.
Also, the RFC states that the rootDSE *may* be protected, which does not
mean it should be. And I think, as Quanah, that it does not make a lot
of sense to protect it, unless you want to get numerous mails on the
users mailing list about the unavailable rootDSE ;)
Thanks Stefan !
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
