[tpop3d-discuss] Auth-Ldap BUG
Chris Lightfoot
chris at ex-parrot.com
Fri, 6 Sep 2002 12:52:24 +0100
On Fri, Sep 06, 2002 at 12:40:12PM +0100, Simon Loader wrote:
>
> Im hoping this wil thread with the one already in the list.
>
>
> I just came across the same bug in either auth_ldap or tpop3d in
> general. If you login with "pass " (pass and a single space) the user
> is logged in with out authenticating. As far as I can tell it never really
> calls the ldap authentication (or if it does it returns early). So I patched
> it like this:-
>
Hmm. Which version are you using?
Neither 1.4.2 nor the current CVS version shows this
behaviour with auth-pam or auth-mysql. I don't have a test
LDAP setup to hand, but I'm very surprised by this. Are
you saying that it occurs with any authenticator?
So far as I can see, the LDAP authenticator will only
generate an authentication context if ldap_simple_bind_s
returns LDAP_SUCCESS. This ought only to happen when the
password matches.
--
``Treason doth ne'er prosper / And what is the reason?
If treason should prosper / None dare call it treason.''
(Glorious-Revolution-era ditty)