From 30832319dfeacabe10c7e176b6c5375aedf3c47f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20R=C3=A9mond?= Date: Thu, 9 Aug 2007 15:35:59 +0000 Subject: [PATCH] * src/ejabberd_auth_ldap.erl: prevent anonymous bind on LDAP servers as ejabberd is providing other anonymous authentication mechanism (EJAB-190). SVN Revision: 866 --- ChangeLog | 8 ++++++-- src/ejabberd_auth_ldap.erl | 19 +++++++++++++------ 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 92034c183..edeed48b9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,3 @@ - - 2007-06-29 Mickael Remond * src/ejabberd_config.erl: Normalize hostnames in config file. If mixed @@ -10,6 +8,12 @@ * src/ejabberd_app.erl: Likewise * src/ejabberd_sup.erl: Likewise +2007-02-19 Mickael Remond + + * src/ejabberd_auth_ldap.erl: prevent anonymous bind on LDAP + servers as ejabberd is providing other anonymous authentication + mechanism (EJAB-190). + 2007-02-02 Christophe Romain * doc/release_notes_1.1.3.txt: Creation. diff --git a/src/ejabberd_auth_ldap.erl b/src/ejabberd_auth_ldap.erl index d152d0895..a7479be74 100644 --- a/src/ejabberd_auth_ldap.erl +++ b/src/ejabberd_auth_ldap.erl @@ -119,13 +119,20 @@ plain_password_required() -> true. check_password(User, Server, Password) -> - Proc = gen_mod:get_module_proc(Server, ?MODULE), - case catch gen_server:call(Proc, - {check_pass, User, Password}, ?REPLY_TIMEOUT) of - {'EXIT', _} -> + %% In LDAP spec: empty password means anonymous authentication. + %% As ejabberd is providing other anonymous authentication mechanisms + %% we simply prevent the use of LDAP anonymous authentication. + if Password == "" -> false; - Result -> - Result + true -> + Proc = gen_mod:get_module_proc(Server, ?MODULE), + case catch gen_server:call(Proc, + {check_pass, User, Password}, ?REPLY_TIMEOUT) of + {'EXIT', _} -> + false; + Result -> + Result + end end. check_password(User, Server, Password, _StreamID, _Digest) ->