You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Stefan Seelmann <se...@apache.org> on 2009/10/28 18:28:34 UTC

ApacheDS 1.5.5 anonymous access

Hi,

I think I made some critical investigations.

1st:
In ApacheDS 1.5.5 anonymous access is enabled by default. In server.xml
we have two flags:

  <defaultDirectoryService id="directoryService" instanceId="default"
                           allowAnonymousAccess="true"
                           ...>
 
  <ldapServer id="ldapServer"
            allowAnonymousAccess="false"
            ...>

Although the flag in <ldapServer> is set to "false" anonymous access
works. In fact, changing this flag has no effect.

However changing the flag in <defaultDirectoryService> disables
anonymous access.


2nd:
When binding as anonymous one could make modifications to the server
(add, modify, delete)! Is this intended?

Kind Regards,
Stefan

Re: ApacheDS 1.5.5 anonymous access

Posted by Stefan Seelmann <se...@apache.org>.

Hi Emmanuel,

Emmanuel Lecharny wrote:
>>
>> Although the flag in <ldapServer> is set to "false" anonymous access
>> works. In fact, changing this flag has no effect.
> 
> AFAIR, only one of the two flags is useful. We must remove the other one.

OK.

But what about the default? Should anonymous access be enabled or
disabled by default? IMO it should be disabled.

>> 2nd:
>> When binding as anonymous one could make modifications to the server
>> (add, modify, delete)! Is this intended?
> 
> Well, why not ?

Ok, you are right. Why not. I think I was a bit surprised because other
servers don't allow write access for anonymous (at least by default).

Kind Regards,
Stefan

Re: ApacheDS 1.5.5 anonymous access

Posted by Emmanuel Lecharny <el...@apache.org>.

On Wed, Oct 28, 2009 at 10:28 AM, Stefan Seelmann <se...@apache.org> wrote:
> Hi,
>
> I think I made some critical investigations.
>
> 1st:
> In ApacheDS 1.5.5 anonymous access is enabled by default. In server.xml
> we have two flags:
>
>  <defaultDirectoryService id="directoryService" instanceId="default"
>                           allowAnonymousAccess="true"
>                           ...>
>
>  <ldapServer id="ldapServer"
>            allowAnonymousAccess="false"
>            ...>
>
> Although the flag in <ldapServer> is set to "false" anonymous access
> works. In fact, changing this flag has no effect.

AFAIR, only one of the two flags is useful. We must remove the other one.

> 2nd:
> When binding as anonymous one could make modifications to the server
> (add, modify, delete)! Is this intended?

Well, why not ?


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com