Feature #9909
closed
Add option to (dis)allow unauthenticated LDAP binds
100%
Description
Hello,
Microsoft AD make the (stupid...) assumption that when an empty password is provided to the LDAP server, the authentication should be automatically granted.
This Microsoft "feature" is called unauthenticated LDAP bind, and is enabled by default and impossible to disable before Microsoft server 2019 (more info here: https://blog.lithnet.io/2017/01/ad-lds-and-ldap-unauthenticated-binds.html )
Most pfSense components using LDAP (Login form for accessing the GUI, OpenVPN and IPsec Xauth modules) are performing additional checks, for ensuring that users didn't enter an empty password.
But the captive portal doesn't have such checks, since it is intended to allow empty passwords there.
Would it be possible to add an option to allow/disallow unauthenticated binds with an LDAP server?
Updated by A FL over 4 years ago
Pull Request : https://github.com/pfsense/pfsense/pull/4116
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
- Target version deleted (
2.5.0)
Updated by Renato Botelho about 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
Pull request has been merged. Thanks!
Updated by Viktor Gurov almost 4 years ago
- Status changed from Feedback to Resolved
tested on 2.5.0.a.20200616.1850 + Win2008R2 AD
works as expected - when the "Allow unauthenticated bind" checkbox is selected, it successfully logs with an empty password, and denies access when checkbox is unchecked