[dovecot-cvs] dovecot/src/auth passdb-ldap.c,1.44.2.10,1.44.2.11
tss at dovecot.org
tss at dovecot.org
Sun Nov 12 13:08:13 UTC 2006
Update of /var/lib/cvs/dovecot/src/auth
In directory talvi:/tmp/cvs-serv15877
Modified Files:
Tag: branch_1_0
passdb-ldap.c
Log Message:
Don't try to use ldap_bind() with empty passwords, since Windows 2003 AD
skips password checking with them and just returns success.
Index: passdb-ldap.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/passdb-ldap.c,v
retrieving revision 1.44.2.10
retrieving revision 1.44.2.11
diff -u -d -r1.44.2.10 -r1.44.2.11
--- passdb-ldap.c 12 Nov 2006 12:59:50 -0000 1.44.2.10
+++ passdb-ldap.c 12 Nov 2006 13:07:40 -0000 1.44.2.11
@@ -246,6 +246,18 @@
i_assert(ldap_request->base != NULL);
+ if (*auth_request->mech_password == '\0') {
+ /* Assume that empty password fails. This is especially
+ important with Windows 2003 AD, which always returns success
+ with empty passwords. */
+ auth_request_log_info(auth_request, "ldap",
+ "Login attempt with empty password");
+ passdb_ldap_request->callback.
+ verify_plain(PASSDB_RESULT_PASSWORD_MISMATCH,
+ auth_request);
+ return;
+ }
+
if (conn->connected) {
/* switch back to the default dn before doing the next search
request */
More information about the dovecot-cvs
mailing list