[dovecot-cvs] dovecot/src/auth passdb-ldap.c,1.44.2.10,1.44.2.11

tss at dovecot.org tss at dovecot.org
Sun Nov 12 13:08:13 UTC 2006


Update of /var/lib/cvs/dovecot/src/auth
In directory talvi:/tmp/cvs-serv15877

Modified Files:
      Tag: branch_1_0
	passdb-ldap.c 
Log Message:
Don't try to use ldap_bind() with empty passwords, since Windows 2003 AD
skips password checking with them and just returns success.



Index: passdb-ldap.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/passdb-ldap.c,v
retrieving revision 1.44.2.10
retrieving revision 1.44.2.11
diff -u -d -r1.44.2.10 -r1.44.2.11
--- passdb-ldap.c	12 Nov 2006 12:59:50 -0000	1.44.2.10
+++ passdb-ldap.c	12 Nov 2006 13:07:40 -0000	1.44.2.11
@@ -246,6 +246,18 @@
 
 	i_assert(ldap_request->base != NULL);
 
+	if (*auth_request->mech_password == '\0') {
+		/* Assume that empty password fails. This is especially
+		   important with Windows 2003 AD, which always returns success
+		   with empty passwords. */
+		auth_request_log_info(auth_request, "ldap",
+				      "Login attempt with empty password");
+		passdb_ldap_request->callback.
+			verify_plain(PASSDB_RESULT_PASSWORD_MISMATCH,
+				     auth_request);
+		return;
+	}
+
 	if (conn->connected) {
 		/* switch back to the default dn before doing the next search
 		   request */



More information about the dovecot-cvs mailing list