You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Stefan Zoerner <st...@labeo.de> on 2007/12/30 15:13:44 UTC
ApacheDS bigbang configuration: allowAnonymousAccess Question
Hi all,
currently I rework the Basic User's Guide in cwiki for the upcoming 2.0
version of ApacheDS.
Let me first say that the new configuration file server.xml with the
xbean stuff is much clearer and therefore also easier to document against.
During configuration of authentication option for chapter 3.1 ("Basic
Security -- Authentication options") I faced a problem with the
attribute allowAnonymousAccess.
It is allowed in three elements in server.xml (and used in all of them
in the default file which comes with the installer as well):
(1) apacheDS
<apacheDS id="apacheDS"
synchPeriodMillis="15000"
allowAnonymousAccess="false">
...
(2) defaultDirectoryService
<defaultDirectoryService id="directoryService" instanceId="default"
workingDirectory="example.com"
allowAnonymousAccess="false"
...
(3) <ldapServer id="ldapServer"
ipPort="10389"
allowAnonymousAccess="false"
...
I am not really sure, which combinations of true and false values in
these areas are valid, and which behavior they should show.
For instance it is sufficient to enable anonymous access on the apacheDS
level (allowAnonymousAccess="true"), all other elements can still remain
false, but anonymous binds work.
Does a configuration on a higher level (apacheDS) overwrite values below
(ldapServer)? I guess not ...
Any help here is highly welcome. I would like to document legal and
intended configuration and behavior.
Thanks in advance and greetings from Hamburg,
Stefan
Re: ApacheDS bigbang configuration: allowAnonymousAccess Question
Posted by Stefan Zoerner <st...@labeo.de>.
Hi Alex!
Thanks for the feedback.
Alex Karasulu wrote:
> There are different levels at which anonymous access is controlled
> depending on how an anonymous user comes into the system. At a bare
> minimum in embedded mode the authentication interceptor needs some
> configuration on how to handle users that are anonymous. Then if LDAP
> access is enabled over the wire then this configuration information is
> needed by the protocol services as well. I guess this can be extracted
> from the directory service but some times there may need to be some
> override - don't remember exactly.
This makes perfectly sense. I was a little bit confused, because some
configuration combinations do not work in the branch as I had expected.
> What I want to do is finish up a few things in this second phase that
> effects how authentication may be done and review the authentication
> interceptor and this configuration stuff. Something here is not right
> and I have not had the time to really sit down and figure it all out.
>
> Perhaps we should just suspend this one parameter's documentation until
> these issues are clearly resolved or understood?
No problem. Thanks again for clarifying this. I will add a TODO item in
the documentation.
Greetings,
Stefan
Re: ApacheDS bigbang configuration: allowAnonymousAccess Question
Posted by Alex Karasulu <ak...@apache.org>.
Stefan,
There are different levels at which anonymous access is controlled depending
on how an anonymous user comes into the system. At a bare minimum in
embedded mode the authentication interceptor needs some configuration on how
to handle users that are anonymous. Then if LDAP access is enabled over the
wire then this configuration information is needed by the protocol services
as well. I guess this can be extracted from the directory service but some
times there may need to be some override - don't remember exactly.
What I want to do is finish up a few things in this second phase that
effects how authentication may be done and review the authentication
interceptor and this configuration stuff. Something here is not right and I
have not had the time to really sit down and figure it all out.
Perhaps we should just suspend this one parameter's documentation until
these issues are clearly resolved or understood?
Thanks,
Alex
On Dec 30, 2007 9:13 AM, Stefan Zoerner <st...@labeo.de> wrote:
> Hi all,
>
> currently I rework the Basic User's Guide in cwiki for the upcoming 2.0
> version of ApacheDS.
>
> Let me first say that the new configuration file server.xml with the
> xbean stuff is much clearer and therefore also easier to document against.
>
> During configuration of authentication option for chapter 3.1 ("Basic
> Security -- Authentication options") I faced a problem with the
> attribute allowAnonymousAccess.
>
> It is allowed in three elements in server.xml (and used in all of them
> in the default file which comes with the installer as well):
>
> (1) apacheDS
>
> <apacheDS id="apacheDS"
> synchPeriodMillis="15000"
> allowAnonymousAccess="false">
> ...
>
> (2) defaultDirectoryService
>
> <defaultDirectoryService id="directoryService" instanceId="default"
> workingDirectory="example.com"
> allowAnonymousAccess="false"
> ...
>
> (3) <ldapServer id="ldapServer"
> ipPort="10389"
> allowAnonymousAccess="false"
> ...
>
> I am not really sure, which combinations of true and false values in
> these areas are valid, and which behavior they should show.
>
> For instance it is sufficient to enable anonymous access on the apacheDS
> level (allowAnonymousAccess="true"), all other elements can still remain
> false, but anonymous binds work.
>
> Does a configuration on a higher level (apacheDS) overwrite values below
> (ldapServer)? I guess not ...
>
> Any help here is highly welcome. I would like to document legal and
> intended configuration and behavior.
>
> Thanks in advance and greetings from Hamburg,
> Stefan
>
>