Add option to (dis)allow unauthenticated LDAP binds
Microsoft AD make the (stupid...) assumption that when an empty password is provided to the LDAP server, the authentication should be automatically granted.
This Microsoft "feature" is called unauthenticated LDAP bind, and is enabled by default and impossible to disable before Microsoft server 2019 (more info here: https://blog.lithnet.io/2017/01/ad-lds-and-ldap-unauthenticated-binds.html )
Most pfSense components using LDAP (Login form for accessing the GUI, OpenVPN and IPsec Xauth modules) are performing additional checks, for ensuring that users didn't enter an empty password.
But the captive portal doesn't have such checks, since it is intended to allow empty passwords there.
Would it be possible to add an option to allow/disallow unauthenticated binds with an LDAP server?
Updated by Viktor Gurov almost 2 years ago
- Status changed from Feedback to Resolved
tested on 2.5.0.a.20200616.1850 + Win2008R2 AD
works as expected - when the "Allow unauthenticated bind" checkbox is selected, it successfully logs with an empty password, and denies access when checkbox is unchecked