Quanah Gibson-Mount wrote:
--On Monday, July 20, 2009 9:50 PM -0400 Alex Karasulu
<[email protected]> wrote:
Ahhh okie you're right on. My bad.
This is quite correct. There are even some (stupid) security programs
that will say being able to read the rootDSE is a vulnerability.
OTOH, I've always left it read to the world, most clients prefer it. :P
here, the problem is much more serious : it's the Bind operation which
is faulty, allowing an anonymous bind even if not allowed... Everything
else is pure theory, and if we stick to the RFC, even the rootDSE could
be read protected.
Anyway, the Bind issue must be fixed. We have tests which wrongly assume
that we *must* be able to read rootDSE as anonymous even if the
allowAnonymousAccess flag is set to 'false', just because we didn't do
the right thing : do a search on rootDSE entry *without* a previous
bind. I'm not sure you can do that using JDNI (doing a search without
issuing a BindRequest first).
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
