diff options
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | src/ejabberd_auth_ldap.erl | 15 |
2 files changed, 14 insertions, 5 deletions
@@ -1,5 +1,9 @@ 2007-02-19 Mickael Remond <mickael.remond@process-one.net> + * src/ejabberd_auth_ldap.erl: prevent anonymous bind on LDAP servers + as ejabberd is providing other anonymous authentication mechanism + (EJAB-190). + * src/cyrsasl_plain.erl: bad-auth error code replaced by not-authorized (EJAB-187). diff --git a/src/ejabberd_auth_ldap.erl b/src/ejabberd_auth_ldap.erl index baebe1523..5fcd44c3b 100644 --- a/src/ejabberd_auth_ldap.erl +++ b/src/ejabberd_auth_ldap.erl @@ -120,11 +120,16 @@ plain_password_required() -> true. check_password(User, Server, Password) -> - case catch check_password_ldap(User, Server, Password) of - {'EXIT', _} -> - false; - Result -> - Result + %% In LDAP spec: empty password means anonymous authentication. + %% As ejabberd is providing other anonymous authentication mechanisms + %% we simply prevent the use of LDAP anonymous authentication. + if Password == "" -> + false; + true -> + case catch check_password_ldap(User, Server, Password) of + {'EXIT', _} -> false; + Result -> Result + end end. check_password(User, Server, Password, _StreamID, _Digest) -> |