dovecot-2.2: auth ldap: Don't require password field to exist fo...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.2/rev/4136f64146d0
changeset: 17748:4136f64146d0
user:      Timo Sirainen <tss at iki.fi>
date:      Wed Aug 27 13:38:53 2014 +0900
description:
auth ldap: Don't require password field to exist for passdb lookups when auth_bind=yes.
This should fix lmtp/doveadm proxy lookups with auth_bind=yes

diffstat:

 src/auth/passdb-ldap.c |  15 ++++++++++++---
 1 files changed, 12 insertions(+), 3 deletions(-)

diffs (67 lines):

diff -r 4a11d88a280a -r 4136f64146d0 src/auth/passdb-ldap.c
--- a/src/auth/passdb-ldap.c	Tue Aug 26 16:00:37 2014 +0900
+++ b/src/auth/passdb-ldap.c	Wed Aug 27 13:38:53 2014 +0900
@@ -36,6 +36,7 @@
 	} callback;
 
 	unsigned int entries;
+	bool require_password;
 };
 
 static void
@@ -83,6 +84,7 @@
 			"pass_filter matched multiple objects, aborting");
 		passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
 	} else if (auth_request->passdb_password == NULL &&
+		   ldap_request->require_password &&
 		   !auth_fields_exists(auth_request->extra_fields, "nopassword")) {
 		auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
 			"No password returned (and no nopassword)");
@@ -273,7 +275,8 @@
 }
 
 static void ldap_lookup_pass(struct auth_request *auth_request,
-			     struct passdb_ldap_request *request)
+			     struct passdb_ldap_request *request,
+			     bool require_password)
 {
 	struct passdb_module *_module = auth_request->passdb->passdb;
 	struct ldap_passdb_module *module =
@@ -284,6 +287,7 @@
 	const char **attr_names = (const char **)conn->pass_attr_names;
 	string_t *str;
 
+	srequest->require_password = require_password;
 	srequest->request.type = LDAP_REQUEST_TYPE_SEARCH;
 	vars = auth_request_get_var_expand_table(auth_request, ldap_escape);
 
@@ -390,7 +394,7 @@
 	ldap_request->request.ldap.auth_request = request;
 
 	if (!conn->set.auth_bind)
-		ldap_lookup_pass(request, ldap_request);
+		ldap_lookup_pass(request, ldap_request, TRUE);
 	else if (conn->set.auth_bind_userdn == NULL)
 		ldap_bind_lookup_dn(request, ldap_request);
 	else
@@ -401,6 +405,7 @@
 				    lookup_credentials_callback_t *callback)
 {
 	struct passdb_ldap_request *ldap_request;
+	bool require_password;
 
 	ldap_request = p_new(request->pool, struct passdb_ldap_request, 1);
 	ldap_request->callback.lookup_credentials = callback;
@@ -408,7 +413,11 @@
 	auth_request_ref(request);
 	ldap_request->request.ldap.auth_request = request;
 
-        ldap_lookup_pass(request, ldap_request);
+	/* with auth_bind=yes we don't necessarily have a password.
+	   this will fail actual password credentials lookups, but it's fine
+	   for passdb lookups done by lmtp/doveadm */
+	require_password = !conn->set.auth_bind;
+        ldap_lookup_pass(request, ldap_request, require_password);
 }
 
 static struct passdb_module *