John,
On 14-Jun-2002 at 10:17EDT John Dalbec wrote
>
> I would like to suggest the following patch. Inspecting the code in
> ldap.c suggests that the obvious authenticator (with
> "server_condition=${lookup ldapauth...") creates an open relay since
> LDAP binds with an empty password are considered anonymous regardless of
> the username and will succeed in most configurations. Of course, this
> check can be done in the authenticator, but IMO this is an unnecessary
> configuration pitfall.
LDAP has three forms of authentication:
o Anonymous
(client gives no DN or password)
o Unauthenticated
(client gives a DN that may or may not exist and no password (a null password)
o Authenticated
(client gives a DN that must exist, and the correct password for that DN).
It is the LDAP client's responsibility (so in this case exim) to check
that the password is not null if you wish to do an authenticated bind.
Hence I would second your proposed change, as failure to check for a
null password is a common bug when clients try to use LDAP for
authentication.
Douglas.
> +++ ldap.c Fri Jun 14 09:41:33 2002
> @@ -166,6 +166,13 @@
> goto RETURN_ERROR_BREAK;
> }
>
> +if (search_type == SEARCH_LDAP_AUTH && password[0] == '\0')
> + {
> + DEBUG(D_lookup) debug_printf("Empty password: ldapauth returns
> FAIL\n");
> + error_yield = FAIL;
> + goto RETURN_ERROR_NOMSG;
> + }
> +
> /* Check if LDAP thinks the URL is a valid LDAP URL */
>
> if (!ldap_is_ldap_url(CS ldap_url))
>
--
================================
Douglas GRAY STEPHENS
Technical Architect (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND
Phone +44 1223 325295
Mobile +44 773 0051628
Fax +44 1223 311830
Email DGrayStephens@???
================================
