Project

General

Profile

Feature #9909

Add option to (dis)allow unauthenticated LDAP binds

Added by A FL 2 months ago. Updated 2 months ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
11/16/2019
Due date:
% Done:

0%

Estimated time:

Description

Hello,

Microsoft AD make the (stupid...) assumption that when an empty password is provided to the LDAP server, the authentication should be automatically granted.

This Microsoft "feature" is called unauthenticated LDAP bind, and is enabled by default and impossible to disable before Microsoft server 2019 (more info here: https://blog.lithnet.io/2017/01/ad-lds-and-ldap-unauthenticated-binds.html )

Most pfSense components using LDAP (Login form for accessing the GUI, OpenVPN and IPsec Xauth modules) are performing additional checks, for ensuring that users didn't enter an empty password.
But the captive portal doesn't have such checks, since it is intended to allow empty passwords there.

Would it be possible to add an option to allow/disallow unauthenticated binds with an LDAP server?

History

#2 Updated by Jim Pingle 2 months ago

  • Status changed from New to Pull Request Review
  • Target version deleted (2.5.0)

Also available in: Atom PDF