[Dovecot] LDAP authentication windows 2003
Chris Wakelin
c.d.wakelin at reading.ac.uk
Thu Nov 9 15:30:29 UTC 2006
Steffen Kaiser wrote:
> On Thu, 9 Nov 2006, Timo Sirainen wrote:
>
>> Umm.. The auth bind succeeds with the empty password?
It appears so ... (tried sniffing the LDAP bind).
>
>> So should I just add a check that empty password will always fail if
>> auth_bind=yes? This prevents having users who don't have a password (eg.
>> they'd be proxied elsewhere), but I guess it's not that important.
Possibly, but my trust in the whole auth binds to AD thing is a bit
battered - I'd like to be convinced there's no other tricks ;). The
other snag is that passwords are sent to the AD in the clear so perhaps
Kerberos or LDAP-over-SSL are better.
>
> How about a "#permit_empty_passwords = yes" option in passdb backends?
> Not that I use accounts with empty passwords, but just in case.
>
Even better! OpenSSH has something similar, I think.
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the dovecot
mailing list