Alex Karasulu added a comment - 25/Oct/05 04:23 AM

Alex Karasulu added a comment - 25/Oct/05 04:23 AM Resolved this on commit # 328138 here: http://svn.apache.org/viewcvs.cgi?view=rev&rev=328138 Stephan please do me a favor and test these changes out for me. I did write a test case but these fixes are less than optimal. They're more a hack. The p-p for LDAP needs to be refactored heavily ... its a mess right now so I don't trust the fixes.

Stefan Zoerner added a comment - 25/Oct/05 11:33 PM

Stefan Zoerner added a comment - 25/Oct/05 11:33 PM Alex, I still face some problems with this one. Unfortunately I was not able to create a piece of Java code to reproduce them in a good way yet. I found them by connecting to a server with Softerra LDAP Browser/Administrator. With it I am currently not able to browse the directory at all, if anonymous access is allowed and I act as an admin. I assume that the tool binds anonymously first to analyze the Root DSE, and performs a bind with UID and password afterwards on the same connection. I will continue to create a better issue description tonight, and will hopefully present a piece of code which reproduces to problem.

Stefan Zoerner added a comment - 26/Oct/05 06:03 AM

Stefan Zoerner added a comment - 26/Oct/05 06:03 AM I currently have several problems with the behavior of the LDAP provider since this fix. At least this one is easy to demonstrate: First I configure anonymous access for my server within server.xml like this: <property name="allowAnonymousAccess"><value>true</value></property> Then I do the following via command line: $ ldapsearch -b "" -s base -h localhost -p 10389 "(objectclass=*)" supportedFeatures=1.3.6.1.4.1.4203.1.5.1 objectClass=extensibleObject objectClass=top $ This is fine. But the following is an error: $ ldapsearch -b "dc=apache,dc=org" -s base -p 10389 "(objectclass=*)" ldap_search: Insufficient access ldap_search: additional info: failed on search operation: org.apache.ldap.common.message.SearchRequestImpl@5646a5: org.apache.ldap.common.exception.LdapNoPermissionException: Anonymous binds have been disabled!         at org.apache.ldap.server.protocol.SessionRegistry.getLdapContext(SessionRegistry.java:190)         at org.apache.ldap.server.protocol.support.SearchHandler.messageReceived(SearchHandler.java:108)         at org.apache.mina.protocol.handler.DemuxingProtocolHandler.messageReceived(DemuxingProtocolHandler.java:94)         at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149)         at org.apache.mina.protocol.AbstractProtocolFilterChain.callNextMessageReceived(AbstractProtocolFilterChain.java:365)         at org.apache.mina.protocol.AbstractProtocolFilterChain.access$1000(AbstractProtocolFilterChain.java:50)         at org.apache.mina.protocol.AbstractProtocolFilterChain$Entry$1.messageReceived(AbstractProtocolFilterChain.java:524)         at org.apache.mina.protocol.AbstractProtocolFilterChain$1.messageReceived(AbstractProtocolFilterChain.java:99)         at org.apache.mina.protocol.AbstractProtocolFilterChain.callNextMessageReceived(AbstractProtocolFilterChain.java:365)         at org.apache.mina.protocol.AbstractProtocolFilterChain.messageReceived(AbstractProtocolFilterChain.java:356)         at org.apache.mina.protocol.ProtocolSessionManagerFilterChain$1.messageReceived(ProtocolSessionManagerFilterChain.java:76)         at org.apache.mina.protocol.AbstractProtocolFilterChain.callNextMessageReceived(AbstractProtocolFilterChain.java:365)         at org.apache.mina.protocol.AbstractProtocolFilterChain.access$1000(AbstractProtocolFilterChain.java:50)         at org.apache.mina.protocol.AbstractProtocolFilterChain$Entry$1.messageReceived(AbstractProtocolFilterChain.java:524)         at org.apache.mina.protocol.filter.ProtocolThreadPoolFilter.processEvent(ProtocolThreadPoolFilter.java:108)         at org.apache.mina.util.BaseThreadPool$Worker.processEvents(BaseThreadPool.java:410)         at org.apache.mina.util.BaseThreadPool$Worker.run(BaseThreadPool.java:355) $ because anonymous binds are enabled. The client should be allowed to see this entry, like the admin for instance is: $ ldapsearch -D "uid=admin,ou=system" -w ***** -b "dc=apache,dc=org" -s base -h localhost -p 10389 "(objectclass=*)" dc=apache,dc=org dc=apache objectClass=extensibleObject objectClass=domain objectClass=top $ I'll try to file the other problem(s) (I hope it is only one in different flavors) soon -- difficult to reduce, unfortunately.

Stefan Zoerner added a comment - 26/Oct/05 06:56 AM

Stefan Zoerner added a comment - 26/Oct/05 06:56 AM I was wrong. The other problem mentioned above has nothing to do with this issue here. It is related to resolving DIREVE-274. I have filed it in new DIREVE-294 ("Search filters with wrong case in attribute names lead to wrong result").

Stefan Zoerner added a comment - 27/Oct/05 06:53 AM

Stefan Zoerner added a comment - 27/Oct/05 06:53 AM My last comment was unclear. The problem described above which causes an LdapNoPermissionException although anonymously binds are allowed still exists, unfortunately. Only the "other problems" mentioned in the comment are described in DIREVE-294 (and fixed, thanks to Alex!). In order to demonstrate this remaining one I have added a test to an existing testcase here http://svn.apache.org/viewcvs.cgi?rev=328742&view=rev which tries to do the same thing in Java which I have performed with command line tools as described above. The method ("testAnonymousBindsEnabledBaseSearch") is currently commented out because it fails.

Stefan Zoerner added a comment - 02/Oct/06 01:10 PM

Stefan Zoerner added a comment - 02/Oct/06 01:10 PM This has been fixed a long time ago, I have just retested it with the current 1.0 build. Thus I close the issue.