* src/ejabberd_auth_ldap.erl: prevent anonymous bind on LDAP servers

as ejabberd is providing other anonymous authentication mechanism
(EJAB-190).

SVN Revision: 731

2 files changed, 14 insertions, 5 deletions

diff --git a/ChangeLog b/ChangeLog
index 42e94dc4a..84dac75cd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2007-02-19  Mickael Remond  <mickael.remond@process-one.net>
 
+	* src/ejabberd_auth_ldap.erl: prevent anonymous bind on LDAP servers
+	as ejabberd is providing other anonymous authentication mechanism
+	(EJAB-190).
+
 	* src/cyrsasl_plain.erl: bad-auth error code replaced by not-authorized
 	(EJAB-187).
 	
diff --git a/src/ejabberd_auth_ldap.erl b/src/ejabberd_auth_ldap.erl
index baebe1523..5fcd44c3b 100644
--- a/src/ejabberd_auth_ldap.erl
+++ b/src/ejabberd_auth_ldap.erl
@@ -120,11 +120,16 @@ plain_password_required() ->
     true.
 
 check_password(User, Server, Password) ->
-    case catch check_password_ldap(User, Server, Password) of
-	{'EXIT', _} ->
-	    false;
-	Result ->
-	    Result
+    %% In LDAP spec: empty password means anonymous authentication.
+    %% As ejabberd is providing other anonymous authentication mechanisms
+    %% we simply prevent the use of LDAP anonymous authentication.
+    if Password == "" ->
+        false;
+    true ->
+        case catch check_password_ldap(User, Server, Password) of
+	        {'EXIT', _} -> false;
+	        Result -> Result
+        end
     end.
 
 check_password(User, Server, Password, _StreamID, _Digest) ->