Timo,

Seems that "nopassword" extra field (more exactly, auth_request->no_password condition) is completely ignored in passdb-ldap.c, due to (line 112 as of Dovecot 1.1.7):

=== if (auth_request->passdb_password == NULL) { auth_request_log_error(auth_request, "ldap", "No password in reply"); } else if (ldap_next_entry(conn->ld, entry) != NULL) { auth_request_log_error(auth_request, "ldap", "pass_filter matched multiple objects, aborting"); } else if (auth_request->passdb_password == NULL && !auth_request->no_password) { auth_request_log_info(auth_request, "ldap", "Empty password returned without nopassword"); passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH; } else { /* passdb_password may change on the way, so we'll need to strdup. */ password = t_strdup(auth_request->passdb_password); passdb_result = PASSDB_RESULT_OK; }

As we see, the first "if" block intercepts auth_request->passdb_password == NULL condition, ignoring auth_request->no_password and making line 127 (passdb_result = PASSDB_RESULT_OK) unreachable even if auth_request->no_password is set. For my local installation I've just removed the first "if" block (see patch in attachment), and it seems to fix the problem.