Le 3/25/14 4:29 PM, Pierre Smits a écrit : > Hi All, > > Shouldn't it be so that others than the identified ApacheDs administrators > (like uid=admin,ou=system) shouldn't be able to see the attributes of the > Root DSE? When I use Apache Studio M2 v2.0.0.v20130628, any user can see > details all the naming context (including those not of his partition and > supportedSASLMechanisms). > > I would say that this shouldn't be happening, as it could be a security > risk. > > What do you think?
Agreed. RFC 4512, part 5.1 says so anyway : http://tools.ietf.org/html/rfc4512 5.1 <http://tools.ietf.org/html/rfc4512#section-5.1>. Server-Specific Data Requirements An LDAP server SHALL provide information about itself and other information that is specific to each server. This is represented as a group of attributes located in the root DSE, which is named with the DN with zero RDNs (whose [RFC4514 <http://tools.ietf.org/html/rfc4514>] representation is as the zero-length string). These attributes are retrievable, subject to access control and other restrictions, if a client performs a Search operation [RFC4511 <http://tools.ietf.org/html/rfc4511>] with an empty baseObject, scope of baseObject, the filter "(objectClass=*)" [RFC4515 <http://tools.ietf.org/html/rfc4515>], and the attributes field listing the names of the desired attributes. It is noted that root DSE attributes are operational and, like other operational attributes, are not returned in search requests unless requested by name. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
