From: Timo Sirainen <tss@iki.fi>
Date: Wed, 27 Aug 2014 04:38:53 +0000 (+0900)
Subject: auth ldap: Don't require password field to exist for passdb lookups when auth_bind... 
X-Git-Tag: 2.2.14.rc1~122
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f647ff6ee9c16160596e8f8c84ebbd89021c81e;p=thirdparty%2Fdovecot%2Fcore.git

auth ldap: Don't require password field to exist for passdb lookups when auth_bind=yes.
This should fix lmtp/doveadm proxy lookups with auth_bind=yes
---

diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c
index 8bb918210a..a784956ddb 100644
--- a/src/auth/passdb-ldap.c
+++ b/src/auth/passdb-ldap.c
@@ -36,6 +36,7 @@ struct passdb_ldap_request {
 	} callback;
 
 	unsigned int entries;
+	bool require_password;
 };
 
 static void
@@ -83,6 +84,7 @@ ldap_lookup_finish(struct auth_request *auth_request,
 			"pass_filter matched multiple objects, aborting");
 		passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
 	} else if (auth_request->passdb_password == NULL &&
+		   ldap_request->require_password &&
 		   !auth_fields_exists(auth_request->extra_fields, "nopassword")) {
 		auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
 			"No password returned (and no nopassword)");
@@ -273,7 +275,8 @@ static void ldap_bind_lookup_dn_callback(struct ldap_connection *conn,
 }
 
 static void ldap_lookup_pass(struct auth_request *auth_request,
-			     struct passdb_ldap_request *request)
+			     struct passdb_ldap_request *request,
+			     bool require_password)
 {
 	struct passdb_module *_module = auth_request->passdb->passdb;
 	struct ldap_passdb_module *module =
@@ -284,6 +287,7 @@ static void ldap_lookup_pass(struct auth_request *auth_request,
 	const char **attr_names = (const char **)conn->pass_attr_names;
 	string_t *str;
 
+	srequest->require_password = require_password;
 	srequest->request.type = LDAP_REQUEST_TYPE_SEARCH;
 	vars = auth_request_get_var_expand_table(auth_request, ldap_escape);
 
@@ -390,7 +394,7 @@ ldap_verify_plain(struct auth_request *request,
 	ldap_request->request.ldap.auth_request = request;
 
 	if (!conn->set.auth_bind)
-		ldap_lookup_pass(request, ldap_request);
+		ldap_lookup_pass(request, ldap_request, TRUE);
 	else if (conn->set.auth_bind_userdn == NULL)
 		ldap_bind_lookup_dn(request, ldap_request);
 	else
@@ -401,6 +405,7 @@ static void ldap_lookup_credentials(struct auth_request *request,
 				    lookup_credentials_callback_t *callback)
 {
 	struct passdb_ldap_request *ldap_request;
+	bool require_password;
 
 	ldap_request = p_new(request->pool, struct passdb_ldap_request, 1);
 	ldap_request->callback.lookup_credentials = callback;
@@ -408,7 +413,11 @@ static void ldap_lookup_credentials(struct auth_request *request,
 	auth_request_ref(request);
 	ldap_request->request.ldap.auth_request = request;
 
-        ldap_lookup_pass(request, ldap_request);
+	/* with auth_bind=yes we don't necessarily have a password.
+	   this will fail actual password credentials lookups, but it's fine
+	   for passdb lookups done by lmtp/doveadm */
+	require_password = !conn->set.auth_bind;
+        ldap_lookup_pass(request, ldap_request, require_password);
 }
 
 static struct passdb_module *