Project

General

Profile

Actions

Feature #9909

closed

Add option to (dis)allow unauthenticated LDAP binds

Added by A FL almost 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
Authentication
Target version:
Start date:
11/16/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Hello,

Microsoft AD make the (stupid...) assumption that when an empty password is provided to the LDAP server, the authentication should be automatically granted.

This Microsoft "feature" is called unauthenticated LDAP bind, and is enabled by default and impossible to disable before Microsoft server 2019 (more info here: https://blog.lithnet.io/2017/01/ad-lds-and-ldap-unauthenticated-binds.html )

Most pfSense components using LDAP (Login form for accessing the GUI, OpenVPN and IPsec Xauth modules) are performing additional checks, for ensuring that users didn't enter an empty password.
But the captive portal doesn't have such checks, since it is intended to allow empty passwords there.

Would it be possible to add an option to allow/disallow unauthenticated binds with an LDAP server?

Actions #2

Updated by Jim Pingle almost 5 years ago

  • Status changed from New to Pull Request Review
  • Target version deleted (2.5.0)
Actions #3

Updated by Renato Botelho over 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

Pull request has been merged. Thanks!

Actions #4

Updated by Viktor Gurov over 4 years ago

  • Status changed from Feedback to Resolved

tested on 2.5.0.a.20200616.1850 + Win2008R2 AD

works as expected - when the "Allow unauthenticated bind" checkbox is selected, it successfully logs with an empty password, and denies access when checkbox is unchecked

Actions #5

Updated by Jim Pingle over 4 years ago

  • Target version set to 2.5.0
Actions

Also available in: Atom PDF