On Tue, Apr 24, 2001 at 04:53:11PM -0700, Andreas Stollar wrote:
> Hello,
>
> It seems that auth-ldap allows you to log in using no password. This is
> somewhat of a problem. I am using the lastest patch
> qmail-ldap-1.03-20010301, with courier-imap-1.3.7. I have gotten the same
> results on Linux (redhat-6.2 and 7.0) and FreeBSD-4.2. A sample of a few
> sessions.
>
> {snip}
> [andreas@corundum andreas]$ telnet localhost 143
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> * OK Courier-IMAP ready. Copyright 1998-2001 Double Precision, Inc. See
> COPYING for distribution information.
> a001 login andreas ""
> a001 OK LOGIN Ok.
>
> Hmm, seems like a problem. Turns out, a blank password in Netscape
> will do the same thing, leaving all accounts wide open to anyone.
Sometime ago I sent this problem (and a patch) to the list, attached here.
Regards...
--Juanjo
I found a serious misconfiguration (but I think is *typical*, that's why
I'm posting here) in my site that allowed ANY
account to be succesfully accessed by supplying a NULL password.
FYI:
I always telnet to imap and pop3 ports and talk raw app protos,
yesterday I used
fetchmail -N -v -u username localhost
which happens to be more "confortable" to NULL passwords typos 8)
I'm using OpenLDAP 1.2.xx with anonymous searchs opened (userPassword
hidden, etc).
The problem seems to be that an ``anonymous bind'' (dn="") behaves equally to
a ``not-authenticated bind'' (dn="ANYTHING" pw="") at least in
respect to OpenLDAP ACL idiom (my searchs in OpenLDAP mailing lists
seem to agree with this behavior).
Attached patch solved my problem by not authenticating if null password
passed (with ldaprebind=2).
--- checkpassword.c.rebind_notnull_passwd Sun Mar 18 13:16:13 2001
+++ checkpassword.c Sun Mar 18 15:13:24 2001
@@ -135,6 +135,14 @@
/* initalize the different info objects */
if ( rebind ) {
extra[0].what = 0; /* under rebind mode no additional info is
needed */
+ /*
+ * Do not allow null password if (rebind && 0x02)
+ * --Juanjo <[EMAIL PROTECTED]> 2001/03/18
+ */
+ if ( (rebind & 0x02) && (!authdata->len || !authdata->s[0]) ) {
+ debug(4, "warning: NULL password not allowed (login=%s)\n",
+login->s? login->s : NULL);
+ return -1;
+ }
search.bindpw = authdata->s;
attrs[7] = 0;
/* rebind on, check passwd via ldap rebind */
--- QLDAPINSTALL~ Mon Mar 19 11:31:58 2001
+++ QLDAPINSTALL Mon Mar 19 11:31:47 2001
@@ -223,7 +223,13 @@
Default: disabled
Example: 1
Note: boolean, use 0 (zero) or 1 (one)
-
+ additional (ORed) bits:
+ 0x02 fail if null password passed for user authentication
+ ATTN: depending on your LDAP server configuration, it may ALWAYS return
+ succesfull authentication when a NULL password is passed, by
+ "downgrading" the connection to an anonymous bind.
+ Setting ldaprebind to 3 will prevent this unwanted behavior.
+
~control/ldapcluster
Turn clustering on and off. Needs a qmail-ldap compiled with
