[ejabberd] Ability to use any ldap account with no password

Leif Johansson leifj at it.su.se
Thu Dec 2 15:04:57 MSK 2004


Oleg Kivel wrote:
>>>I installed ejabberd-0.7.5 (Linux Red Hat 9) with {auth_method, ldap}.
>>>
>>>If I DON'T check the "Use plain text password" box, then ejabberd
>>>accept ANY (even empty) PASSWORD for any ldap user and after it I can
>>>use jabber-service without problem!
>>>
>>>Other clients (PSI, Expodus) permit to enter only valid ldap user's
>>>password.
>>>
>>>Is this issue with ejabberd, Lotus Domino LDAP-service or JAJC?
>>>
> 
> 
> LJ> It may be an issue with clients. The correct way IS to use plain text
> LJ> passwords (I suggest you use tls for your jabber client connections).
> LJ> It may be that other clients use plaintext per default...
> 
> LJ>         MVH leifj
> 
> 
> But why does ejabberd permit unauthorized access anyway? What will be
> if bad guy decide to use JAJC without "Use plain text password"?

Plaintext passwords as opposed to legacy jabber shared-secret passwords.
None of these are 'unauthenticated'. Use of plaintext passwords wo tls
is not recommended but it's still not unauthenticated.

	MVH leifj


More information about the ejabberd mailing list