[ejabberd] Ability to use any ldap account with no password

Oleg Kivel olegk at dp.ru
Thu Dec 2 12:51:02 MSK 2004

>> I installed ejabberd-0.7.5 (Linux Red Hat 9) with {auth_method, ldap}.
>> If I DON'T check the "Use plain text password" box, then ejabberd
>> accept ANY (even empty) PASSWORD for any ldap user and after it I can
>> use jabber-service without problem!
>> Other clients (PSI, Expodus) permit to enter only valid ldap user's
>> password.
>> Is this issue with ejabberd, Lotus Domino LDAP-service or JAJC?

LJ> It may be an issue with clients. The correct way IS to use plain text
LJ> passwords (I suggest you use tls for your jabber client connections).
LJ> It may be that other clients use plaintext per default...

LJ>         MVH leifj

But why does ejabberd permit unauthorized access anyway? What will be
if bad guy decide to use JAJC without "Use plain text password"?

Kivel Oleg.

More information about the ejabberd mailing list