Re: [tpop3d-discuss] Auth-Ldap BUG

[Chris Lightfoot]

On Fri, Sep 06, 2002 at 01:00:37PM +0100, Chris Lightfoot wrote:
> On Fri, Sep 06, 2002 at 12:59:35PM +0100, Simon Loader wrote:
> > 
> > Yes, that true prehaps its doing anonymous auth
> > 
> > simon does a test
> > 
> > Yes that is the problem ldap is accepting no password and
> > binding as anonymous.
> > 
> > Well the The whole of tpop3d.c code is fine, I will muck around with the 
> > ldap
> > system ... I thought I switched that off.
> 
> Ah, splendid.
> 
> Hmm. I guess tpop3d should have a `permit empty password'
> setting, default `no'.

Try this:

Index: authswitch.c
===================================================================
RCS file: /home/chris/vcvs/repos/tpop3d/authswitch.c,v
retrieving revision 1.35
diff -u -r1.35 authswitch.c
--- authswitch.c        1 Jul 2002 13:16:40 -0000       1.35
+++ authswitch.c        6 Sep 2002 12:07:26 -0000
@@ -256,6 +256,13 @@
     char *x = NULL;
     const char *l = NULL, *d = NULL;
 
+    /* This is here mainly for users who forgot to switch off LDAP anonymous
+     * authentication.... */
+    if (*pass == 0 && !config_get_bool("permit-empty-password")) {
+        log_print(LOG_WARNING, _("authcontext_new_user_pass: rejecting login 
attempt by `%s' with empty password"), user);
+        return NULL;
+    }
+    
     l = local_part;
     d = domain;
     
Index: cfgdirectives.c
===================================================================
RCS file: /home/chris/vcvs/repos/tpop3d/cfgdirectives.c,v
retrieving revision 1.18
diff -u -r1.18 cfgdirectives.c
--- cfgdirectives.c     1 Jul 2002 14:06:05 -0000       1.18
+++ cfgdirectives.c     6 Sep 2002 12:07:26 -0000
@@ -30,6 +30,7 @@
     "apop-only",
     "mailbox",
     "no-detach",
+    "permit-empty-passwords",
 
 #ifdef AUTH_PAM
     /* auth-pam options */


-- now in CVS.

-- 
War is Peace   Freedom is Slavery   Ignorance is Strength
(1984)