[Dovecot] LDAP authentication windows 2003
Matheus Antonio Oliveira wrote:
People,
Almost resolved, but with "blank password" against a "active directory - ldap - windows 2003 sp1" the user was logged in. See following logs.
Good notice: the situation doesn't happen in "active directory - ldap - windows 2000 sp4"
Oh dear - you're right! We're using 2003 Active Directory (but in "2000 mode") and I can repeat the behaviour with my test rc12 server ...
- OK University of Reading IMAP test ready. . LOGIN <username> "" . OK Logged in. . SELECT INBOX
- FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
- OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
- 815 EXISTS
- 0 RECENT
- OK [UIDVALIDITY 1130319036] UIDs valid
- OK [UIDNEXT 816] Predicted next UID . OK [READ-WRITE] Select completed.
and also with rc10.
Chris
-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
On Thu, 2006-11-09 at 10:47 +0000, Chris Wakelin wrote:
Matheus Antonio Oliveira wrote:
People,
Almost resolved, but with "blank password" against a "active directory - ldap - windows 2003 sp1" the user was logged in. See following logs.
Good notice: the situation doesn't happen in "active directory - ldap - windows 2000 sp4"
Oh dear - you're right! We're using 2003 Active Directory (but in "2000 mode") and I can repeat the behaviour with my test rc12 server ...
- OK University of Reading IMAP test ready. . LOGIN <username> "" . OK Logged in.
Umm.. The auth bind succeeds with the empty password?
So should I just add a check that empty password will always fail if auth_bind=yes? This prevents having users who don't have a password (eg. they'd be proxied elsewhere), but I guess it's not that important.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 9 Nov 2006, Timo Sirainen wrote:
Umm.. The auth bind succeeds with the empty password?
So should I just add a check that empty password will always fail if auth_bind=yes? This prevents having users who don't have a password (eg. they'd be proxied elsewhere), but I guess it's not that important.
How about a "#permit_empty_passwords = yes" option in passdb backends? Not that I use accounts with empty passwords, but just in case.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
iQEVAwUBRVNHBS9SORjhbDpvAQKsFQf+OrvK8xyJvH0VIB5EVlT8aQUUv55bmt7p xgKdamg2WaFvIhBU/Y7r4o69zh5gkSh0e1jaVoYzbSeRcohjPmoUOPr7C58cV6Ru dsXeArTDOqfYf28/GG6Kw3zCZAfkKywJ5IZv9nn1PhGn4mC7pyunBoFOqwaR55wb yXSLaA273Jit4GAPdpVY1zsG5KuaNm9qgAUQ2y3aHqA+5HcwtJig8zE9qT/zNf+f qwpStG/znl9NM68V6kzsXuQBvByLtTeNZAKVubRKsgKT7neH8nO2Myxk4oo+Ynq4 5erwP5QslPldl9LOE1Wa2+m2NoR38ALIJlJOR+PAhYL/VTIe44naTA== =ihP3 -----END PGP SIGNATURE-----
Steffen Kaiser wrote:
On Thu, 9 Nov 2006, Timo Sirainen wrote:
Umm.. The auth bind succeeds with the empty password?
It appears so ... (tried sniffing the LDAP bind).
So should I just add a check that empty password will always fail if auth_bind=yes? This prevents having users who don't have a password (eg. they'd be proxied elsewhere), but I guess it's not that important.
Possibly, but my trust in the whole auth binds to AD thing is a bit battered - I'd like to be convinced there's no other tricks ;). The other snag is that passwords are sent to the AD in the clear so perhaps Kerberos or LDAP-over-SSL are better.
How about a "#permit_empty_passwords = yes" option in passdb backends? Not that I use accounts with empty passwords, but just in case.
Even better! OpenSSH has something similar, I think.
Chris
-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
participants (4)
-
Chris Wakelin
-
Matheus Antonio Oliveira
-
Steffen Kaiser
-
Timo Sirainen