* src/ejabberd_auth_ldap.erl: prevent anonymous bind on LDAP

servers as ejabberd is providing other anonymous authentication
mechanism (EJAB-190).

SVN Revision: 866

ChangeLog

@@ -1,5 +1,3 @@
-
-
 2007-06-29  Mickael Remond  <mickael.remond@process-one.net>
   	 	
 	* src/ejabberd_config.erl: Normalize hostnames in config file. If mixed
@@ -10,6 +8,12 @@
 	* src/ejabberd_app.erl: Likewise
 	* src/ejabberd_sup.erl: Likewise
 
+2007-02-19  Mickael Remond  <mickael.remond@process-one.net>
+
+	* src/ejabberd_auth_ldap.erl: prevent anonymous bind on LDAP
+	servers as ejabberd is providing other anonymous authentication
+	mechanism (EJAB-190).
+
 2007-02-02  Christophe Romain <christophe.romain@process-one.net>
 
 	* doc/release_notes_1.1.3.txt: Creation.

src/ejabberd_auth_ldap.erl

@@ -119,13 +119,20 @@ plain_password_required() ->
     true.
 
 check_password(User, Server, Password) ->
-    Proc = gen_mod:get_module_proc(Server, ?MODULE),
-    case catch gen_server:call(Proc,
-			       {check_pass, User, Password}, ?REPLY_TIMEOUT) of
-	{'EXIT', _} ->
+    %% In LDAP spec: empty password means anonymous authentication.
+    %% As ejabberd is providing other anonymous authentication mechanisms
+    %% we simply prevent the use of LDAP anonymous authentication.
+    if Password == "" ->
 	    false;
-	Result ->
-	    Result
+       true ->
+	    Proc = gen_mod:get_module_proc(Server, ?MODULE),
+	    case catch gen_server:call(Proc,
+				       {check_pass, User, Password}, ?REPLY_TIMEOUT) of
+		{'EXIT', _} ->
+		    false;
+		Result ->
+		    Result
+	    end
     end.
 
 check_password(User, Server, Password, _StreamID, _Digest) ->