[ejabberd] help with config LDAP Auth. lots of problems & no logs

Oleg Kivel olegk at dp.ru
Wed May 25 18:44:39 MSD 2005


Ejabberd perform ldap auth very strange way! And this way is other
than squid_ldap_auth or Jive Messenger do. Ejabberd does not take into
account that there are LDAP-servers with anonymous access allowed. And
bind request with empty password for such kind of servers will return
SUCCESS always! But ejabberd does't check if the password transmitted
from client empty or not. That is the first problem. And the second
problem is that if you dont't set "Use plain text password" options in
your jabber-client and you use ejabberd's ldap_auth then ejabberd will
try to bind with EMPTY password without any checks or warning no
matter what password you entered in your jabber-client! And if you use
ldap-server with anonymous access allowed, then you will get ability
to use any account without knowing the password! 8)


Best regards,
Kivel Oleg.



ebjr> It uses "bind" requests to check user password.  If you need another way to
ebjr> autentificate users, please, describe it in bugzilla[1], preferably with
ebjr> examples of LDAP records.

ebjr> [1] http://www.jabber.ru/bugzilla/index.cgi
ebjr> _______________________________________________
ebjr> ejabberd mailing list
ebjr> ejabberd at jabber.ru
ebjr> http://lists.jabber.ru/mailman/listinfo/ejabberd



More information about the ejabberd mailing list