Project

General

Profile

Feature #9909

Add option to (dis)allow unauthenticated LDAP binds

Added by A FL 5 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Category:
Authentication
Target version:
-
Start date:
11/16/2019
Due date:
% Done:

100%

Estimated time:

Description

Hello,

Microsoft AD make the (stupid...) assumption that when an empty password is provided to the LDAP server, the authentication should be automatically granted.

This Microsoft "feature" is called unauthenticated LDAP bind, and is enabled by default and impossible to disable before Microsoft server 2019 (more info here: https://blog.lithnet.io/2017/01/ad-lds-and-ldap-unauthenticated-binds.html )

Most pfSense components using LDAP (Login form for accessing the GUI, OpenVPN and IPsec Xauth modules) are performing additional checks, for ensuring that users didn't enter an empty password.
But the captive portal doesn't have such checks, since it is intended to allow empty passwords there.

Would it be possible to add an option to allow/disallow unauthenticated binds with an LDAP server?

History

#2 Updated by Jim Pingle 5 months ago

  • Status changed from New to Pull Request Review
  • Target version deleted (2.5.0)

#3 Updated by Renato Botelho about 2 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

Pull request has been merged. Thanks!

Also available in: Atom PDF