On 7/12/11 9:19 AM, Alex Karasulu wrote:
rather than
this.session = directoryService.getAdminSession(); in setDirectoryService())
what we already know is that DS is available and user/app can do
anything if has got access to, but more important is
the usage from an app developer's POV, if I have a web app that allows
users to connect to the server using LdapCoreSessionConnection
then assigning admin session by default during initialization will be
a serious security issue.
LDAP applications rarely align their authorization schema with LDAP
security. Most applications just connect as admin and handle lookups
on behalf of their users.
Yes. This is very true, and usually, because such apps are using a
connection pool. It's also safe as it's protected (well, suposely
protected) by the application : one can't access to this part unless
already identified. Although I do think it's not necessarily a good
idea, it's due to the fact it's costly to establish a physical
connection. Now, one can still use an already existing connection, and
bind with a different user, instead of using an admin session...
Misconceptions are always spread very quickly, and are hard to fix...
But I think you and Emmanuel both make a good case here. We need to
solve this better since some applications like the self service
applications we've spoken about writing might use direct LDAP
security. However I think we don't just go with an anonymous session
or a admin session. We need a means to make this decision better.
LDAP specify that you can do operation without being bound, and in this
case, the session will be anonymous. Defaulting to anonymous is then
pretty natural. Now, you may have something different in mind, can you
elaborate ? (Of course, the server might reject such operations done on
a anonymous session, and I can see that as a major issue if we default
to anonymous)
We should require a bind to set the exact session.
That's an option : if the server reject anonymous operations, then
obviously, the user *must* bind. I would say that it *should* be the
default mode...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
