I would like to suggest the following patch. Inspecting the code in
ldap.c suggests that the obvious authenticator (with
"server_condition=${lookup ldapauth...") creates an open relay since
LDAP binds with an empty password are considered anonymous regardless of
the username and will succeed in most configurations. Of course, this
check can be done in the authenticator, but IMO this is an unnecessary
configuration pitfall.
--- ldap.c.orig Fri Jun 14 09:41:27 2002
+++ ldap.c Fri Jun 14 09:41:33 2002
@@ -166,6 +166,13 @@
goto RETURN_ERROR_BREAK;
}
+if (search_type == SEARCH_LDAP_AUTH && password[0] == '\0')
+ {
+ DEBUG(D_lookup) debug_printf("Empty password: ldapauth returns
FAIL\n");
+ error_yield = FAIL;
+ goto RETURN_ERROR_NOMSG;
+ }
+
/* Check if LDAP thinks the URL is a valid LDAP URL */
if (!ldap_is_ldap_url(CS ldap_url))
