9 Nov
2006
9 Nov
'06
5:05 p.m.
On Thu, 2006-11-09 at 10:47 +0000, Chris Wakelin wrote:
Matheus Antonio Oliveira wrote:
People,
Almost resolved, but with "blank password" against a "active directory - ldap - windows 2003 sp1" the user was logged in. See following logs.
Good notice: the situation doesn't happen in "active directory - ldap - windows 2000 sp4"
Oh dear - you're right! We're using 2003 Active Directory (but in "2000 mode") and I can repeat the behaviour with my test rc12 server ...
- OK University of Reading IMAP test ready. . LOGIN <username> "" . OK Logged in.
Umm.. The auth bind succeeds with the empty password?
So should I just add a check that empty password will always fail if auth_bind=yes? This prevents having users who don't have a password (eg. they'd be proxied elsewhere), but I guess it's not that important.