Andreas Stollar wrote:
> It seems that auth-ldap allows you to log in using no password. This is
> somewhat of a problem. I am using the lastest patch
> qmail-ldap-1.03-20010301, with courier-imap-1.3.7. I have gotten the same
> results on Linux (redhat-6.2 and 7.0) and FreeBSD-4.2. A sample of a few
> sessions.
If the rusty memory serves logging in with a blank password to an LDAP
server binds you anonymously, which will succeed.
The solution is to fix auth-ldap so that it rejects empty passwords, but
more importantly you should lock down the security on your LDAP server
so that people binding anonymously don't have access to details in your
database. In fact denying read access to anonymous will fix your problem
on it's own.
Regards,
Graham
--
-----------------------------------------
[EMAIL PROTECTED] "There's a moon
over Bourbon Street
tonight..."
