[jira] Assigned: (DIRSERVER-1383) There is a confusion between Anonymous access and Access to rootDSE

Emmanuel Lecharny (JIRA) Tue, 21 Jul 2009 15:07:39 -0700

     [ 
https://issues.apache.org/jira/browse/DIRSERVER-1383?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Emmanuel Lecharny reassigned DIRSERVER-1383:
--------------------------------------------

    Assignee: Emmanuel Lecharny

> There is a confusion between Anonymous access and Access to rootDSE
> -------------------------------------------------------------------
>
>                 Key: DIRSERVER-1383
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1383
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 1.5.4
>            Reporter: Emmanuel Lecharny
>            Assignee: Emmanuel Lecharny
>            Priority: Critical
>             Fix For: 1.5.5
>
>
> The way the Anonymous authenticator is written makes it possible to be bound 
> and read the rootDSE even if anonymous access is disabled on the server :
>     public LdapPrincipal authenticate( BindOperationContext opContext ) 
> throws NamingException
>     {
>         // We only allow Anonymous binds if the service allows them _or_
>         // if the user wants to bind on the rootDSE
>         if ( getDirectoryService().isAllowAnonymousAccess() || 
> opContext.getDn().isEmpty() )  <=== here !!
>         {
>             return LdapPrincipal.ANONYMOUS;
> So an anonymous bind will always be accepted, as it will be identified as a 
> bind to the rootDSE (the DN is empty when doing an anonymous bind).
> So you *always* have access to the server even if the alowedAnonymousAccess 
> flag  is set to false !!!
> Bad ...

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Assigned: (DIRSERVER-1383) There is a confusion between Anonymous access and Access to rootDSE

Reply via email to