Timo,
Seems that "nopassword" extra field (more exactly, auth_request->no_password
condition) is completely ignored in passdb-ldap.c, due to (line 112 as of
Dovecot 1.1.7):
===
if (auth_request->passdb_password == NULL) {
auth_request_log_error(auth_request, "ldap",
"No password in reply");
} else if (ldap_next_entry(conn->ld, entry) != NULL) {
auth_request_log_error(auth_request, "ldap",
"pass_filter matched multiple objects, aborting");
} else if (auth_request->passdb_password == NULL &&
!auth_request->no_password) {
auth_request_log_info(auth_request, "ldap",
"Empty password returned without nopassword");
passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH;
} else {
/* passdb_password may change on the way,
so we'll need to strdup. */
password = t_strdup(auth_request->passdb_password);
passdb_result = PASSDB_RESULT_OK;
}
===
As we see, the first "if" block intercepts auth_request->passdb_password ==
NULL condition, ignoring auth_request->no_password and making line 127
(passdb_result = PASSDB_RESULT_OK) unreachable even if
auth_request->no_password is set.
For my local installation I've just removed the first "if" block (see patch in
attachment), and it seems to fix the problem.
--- src/auth/passdb-ldap.c 2008-10-26 18:00:45.000000000 +0300
+++ src/auth/passdb-ldap.c.nopassword 2008-12-19 01:57:18.000000000 +0300
@@ -109,10 +109,7 @@
password = NULL;
ldap_query_save_result(conn, entry, auth_request);
- if (auth_request->passdb_password == NULL) {
- auth_request_log_error(auth_request, "ldap",
- "No password in reply");
- } else if (ldap_next_entry(conn->ld, entry) != NULL) {
+ if (ldap_next_entry(conn->ld, entry) != NULL) {
auth_request_log_error(auth_request, "ldap",
"pass_filter matched multiple objects, aborting");
} else if (auth_request->passdb_password == NULL &&
