There is a confusion between Anonymous access and Access to rootDSE
-------------------------------------------------------------------
Key: DIRSERVER-1383
URL: https://issues.apache.org/jira/browse/DIRSERVER-1383
Project: Directory ApacheDS
Issue Type: Bug
Affects Versions: 1.5.4
Reporter: Emmanuel Lecharny
Priority: Critical
Fix For: 1.5.5
The way the Anonymous authenticator is written makes it possible to be bound
and read the rootDSE even if anonymous access is disabled on the server :
public LdapPrincipal authenticate( BindOperationContext opContext ) throws
NamingException
{
// We only allow Anonymous binds if the service allows them _or_
// if the user wants to bind on the rootDSE
if ( getDirectoryService().isAllowAnonymousAccess() ||
opContext.getDn().isEmpty() ) <=== here !!
{
return LdapPrincipal.ANONYMOUS;
So an anonymous bind will always be accepted, as it will be identified as a
bind to the rootDSE (the DN is empty when doing an anonymous bind).
So you *always* have access to the server even if the alowedAnonymousAccess
flag is set to false !!!
Bad ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
