[dovecot-cvs] dovecot/src/auth passdb-ldap.c,1.55,1.56
tss at dovecot.org
tss at dovecot.org
Sun Nov 12 13:07:45 UTC 2006
Update of /var/lib/cvs/dovecot/src/auth
In directory talvi:/tmp/cvs-serv15873
Modified Files:
passdb-ldap.c
Log Message:
Don't try to use ldap_bind() with empty passwords, since Windows 2003 AD
skips password checking with them and just returns success.
Index: passdb-ldap.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/passdb-ldap.c,v
retrieving revision 1.55
retrieving revision 1.56
diff -u -d -r1.55 -r1.56
--- passdb-ldap.c 12 Nov 2006 12:59:51 -0000 1.55
+++ passdb-ldap.c 12 Nov 2006 13:07:43 -0000 1.56
@@ -246,6 +246,18 @@
i_assert(ldap_request->base != NULL);
+ if (*auth_request->mech_password == '\0') {
+ /* Assume that empty password fails. This is especially
+ important with Windows 2003 AD, which always returns success
+ with empty passwords. */
+ auth_request_log_info(auth_request, "ldap",
+ "Login attempt with empty password");
+ passdb_ldap_request->callback.
+ verify_plain(PASSDB_RESULT_PASSWORD_MISMATCH,
+ auth_request);
+ return;
+ }
+
if (conn->connected) {
/* switch back to the default dn before doing the next search
request */
More information about the dovecot-cvs
mailing list