Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
1.5.4
-
None
-
None
Description
The way the Anonymous authenticator is written makes it possible to be bound and read the rootDSE even if anonymous access is disabled on the server :
public LdapPrincipal authenticate( BindOperationContext opContext ) throws NamingException
{
// We only allow Anonymous binds if the service allows them or
// if the user wants to bind on the rootDSE
if ( getDirectoryService().isAllowAnonymousAccess() || opContext.getDn().isEmpty() ) <=== here !!
{
return LdapPrincipal.ANONYMOUS;
So an anonymous bind will always be accepted, as it will be identified as a bind to the rootDSE (the DN is empty when doing an anonymous bind).
So you always have access to the server even if the alowedAnonymousAccess flag is set to false !!!
Bad ...