[Dovecot] LDAP authentication windows 2003

Chris Wakelin c.d.wakelin at reading.ac.uk
Thu Nov 9 15:30:29 UTC 2006



Steffen Kaiser wrote:
> On Thu, 9 Nov 2006, Timo Sirainen wrote:
> 
>> Umm.. The auth bind succeeds with the empty password?

It appears so ... (tried sniffing the LDAP bind).

> 
>> So should I just add a check that empty password will always fail if
>> auth_bind=yes? This prevents having users who don't have a password (eg.
>> they'd be proxied elsewhere), but I guess it's not that important.

Possibly, but my trust in the whole auth binds to AD thing is a bit
battered - I'd like to be convinced there's no other tricks ;). The
other snag is that passwords are sent to the AD in the clear so perhaps
Kerberos or LDAP-over-SSL are better.

> 
> How about a "#permit_empty_passwords = yes" option in passdb backends?
> Not that I use accounts with empty passwords, but just in case.
> 

Even better! OpenSSH has something similar, I think.

Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094


More information about the dovecot mailing list