Steffen Kaiser wrote:
On Thu, 9 Nov 2006, Timo Sirainen wrote:
Umm.. The auth bind succeeds with the empty password?
It appears so ... (tried sniffing the LDAP bind).
So should I just add a check that empty password will always fail if auth_bind=yes? This prevents having users who don't have a password (eg. they'd be proxied elsewhere), but I guess it's not that important.
Possibly, but my trust in the whole auth binds to AD thing is a bit battered - I'd like to be convinced there's no other tricks ;). The other snag is that passwords are sent to the AD in the clear so perhaps Kerberos or LDAP-over-SSL are better.
How about a "#permit_empty_passwords = yes" option in passdb backends? Not that I use accounts with empty passwords, but just in case.
Even better! OpenSSH has something similar, I think.
Chris
-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094