[tpop3d-discuss] Auth-Ldap BUG
Chris Lightfoot
chris at ex-parrot.com
Fri, 6 Sep 2002 13:08:48 +0100
On Fri, Sep 06, 2002 at 01:00:37PM +0100, Chris Lightfoot wrote:
> On Fri, Sep 06, 2002 at 12:59:35PM +0100, Simon Loader wrote:
> >
> > Yes, that true prehaps its doing anonymous auth
> >
> > simon does a test
> >
> > Yes that is the problem ldap is accepting no password and
> > binding as anonymous.
> >
> > Well the The whole of tpop3d.c code is fine, I will muck around with the
> > ldap
> > system ... I thought I switched that off.
>
> Ah, splendid.
>
> Hmm. I guess tpop3d should have a `permit empty password'
> setting, default `no'.
Try this:
Index: authswitch.c
===================================================================
RCS file: /home/chris/vcvs/repos/tpop3d/authswitch.c,v
retrieving revision 1.35
diff -u -r1.35 authswitch.c
--- authswitch.c 1 Jul 2002 13:16:40 -0000 1.35
+++ authswitch.c 6 Sep 2002 12:07:26 -0000
@@ -256,6 +256,13 @@
char *x = NULL;
const char *l = NULL, *d = NULL;
+ /* This is here mainly for users who forgot to switch off LDAP anonymous
+ * authentication.... */
+ if (*pass == 0 && !config_get_bool("permit-empty-password")) {
+ log_print(LOG_WARNING, _("authcontext_new_user_pass: rejecting login attempt by `%s' with empty password"), user);
+ return NULL;
+ }
+
l = local_part;
d = domain;
Index: cfgdirectives.c
===================================================================
RCS file: /home/chris/vcvs/repos/tpop3d/cfgdirectives.c,v
retrieving revision 1.18
diff -u -r1.18 cfgdirectives.c
--- cfgdirectives.c 1 Jul 2002 14:06:05 -0000 1.18
+++ cfgdirectives.c 6 Sep 2002 12:07:26 -0000
@@ -30,6 +30,7 @@
"apop-only",
"mailbox",
"no-detach",
+ "permit-empty-passwords",
#ifdef AUTH_PAM
/* auth-pam options */
-- now in CVS.
--
War is Peace Freedom is Slavery Ignorance is Strength
(1984)