ApacheDS 1.5.5 anonymous access

Hi,

I think I made some critical investigations.

1st:
In ApacheDS 1.5.5 anonymous access is enabled by default. In server.xml
we have two flags:

  <defaultDirectoryService id="directoryService" instanceId="default"
                           allowAnonymousAccess="true"
                           ...>
 
  <ldapServer id="ldapServer"
            allowAnonymousAccess="false"
            ...>

Although the flag in <ldapServer> is set to "false" anonymous access
works. In fact, changing this flag has no effect.

However changing the flag in <defaultDirectoryService> disables
anonymous access.


2nd:
When binding as anonymous one could make modifications to the server
(add, modify, delete)! Is this intended?

Kind Regards,
Stefan

On Wed, Oct 28, 2009 at 10:28 AM, Stefan Seelmann <seelmann@...> wrote:
AFAIR, only one of the two flags is useful. We must remove the other one.

> 2nd:
> When binding as anonymous one could make modifications to the server
> (add, modify, delete)! Is this intended?

Well, why not ?


--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Hi Emmanuel,

Emmanuel Lecharny wrote:
>>
>> Although the flag in <ldapServer> is set to "false" anonymous access
>> works. In fact, changing this flag has no effect.
>
> AFAIR, only one of the two flags is useful. We must remove the other one.

OK.

But what about the default? Should anonymous access be enabled or
disabled by default? IMO it should be disabled.

>> 2nd:
>> When binding as anonymous one could make modifications to the server
>> (add, modify, delete)! Is this intended?
>
> Well, why not ?

Ok, you are right. Why not. I think I was a bit surprised because other
servers don't allow write access for anonymous (at least by default).

Kind Regards,
Stefan