Revision eeceb2ca
Added by A FL almost 6 years ago
| src/etc/inc/auth.inc | ||
|---|---|---|
| 1371 | 1371 |
return false; |
| 1372 | 1372 |
} |
| 1373 | 1373 |
|
| 1374 |
if (!isset($authcfg['ldap_allow_unauthenticated']) && $passwd == '') {
|
|
| 1375 |
$attributes['error_message'] = gettext("Invalid credentials.");
|
|
| 1376 |
return false; |
|
| 1377 |
} |
|
| 1378 |
|
|
| 1374 | 1379 |
if (!function_exists("ldap_connect")) {
|
| 1375 | 1380 |
log_error(gettext("ERROR! unable to find ldap_connect() function."));
|
| 1376 | 1381 |
$attributes['error_message'] = gettext("Internal error during authentication.");
|
| ... | ... | |
| 1959 | 1964 |
|
| 1960 | 1965 |
/* Validate incoming login request */ |
| 1961 | 1966 |
$attributes = array('nas_identifier' => 'webConfigurator-' . gethostname());
|
| 1962 |
if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
|
|
| 1967 |
if (isset($_POST['login']) && !empty($_POST['usernamefld'])) {
|
|
| 1963 | 1968 |
$authcfg = auth_get_authserver($config['system']['webgui']['authmode']); |
| 1964 | 1969 |
$remoteauth = authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg, $attributes); |
| 1965 | 1970 |
if ($remoteauth || authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
|
| src/etc/inc/ipsec.auth-user.php | ||
|---|---|---|
| 51 | 51 |
$authmodes = explode(",", getenv("authcfg"));
|
| 52 | 52 |
} |
| 53 | 53 |
|
| 54 |
if (!$username || !$password) {
|
|
| 54 |
if (!$username) {
|
|
| 55 | 55 |
syslog(LOG_ERR, "invalid user authentication environment"); |
| 56 | 56 |
if (isset($_GET['username'])) {
|
| 57 | 57 |
echo "FAILED"; |
| src/etc/inc/openvpn.auth-user.php | ||
|---|---|---|
| 53 | 53 |
$common_name = getenv("common_name");
|
| 54 | 54 |
} |
| 55 | 55 |
|
| 56 |
if (!$username || !$password) {
|
|
| 56 |
if (!$username) {
|
|
| 57 | 57 |
syslog(LOG_ERR, "invalid user authentication environment"); |
| 58 | 58 |
if (isset($_GET['username'])) {
|
| 59 | 59 |
echo "FAILED"; |
| src/usr/local/www/diag_authentication.php | ||
|---|---|---|
| 40 | 40 |
$input_errors[] = sprintf(gettext('%s is not a valid authentication server'), $_POST['authmode']);
|
| 41 | 41 |
} |
| 42 | 42 |
|
| 43 |
if (empty($_POST['username']) || empty($_POST['password'])) {
|
|
| 43 |
if (empty($_POST['username'])) {
|
|
| 44 | 44 |
$input_errors[] = gettext("A username and password must be specified.");
|
| 45 | 45 |
} |
| 46 | 46 |
|
| src/usr/local/www/guiconfig.inc | ||
|---|---|---|
| 144 | 144 |
'desc' => "OpenLDAP", |
| 145 | 145 |
'attr_user' => "cn", |
| 146 | 146 |
'attr_group' => "cn", |
| 147 |
'attr_member' => "member"), |
|
| 147 |
'attr_member' => "member", |
|
| 148 |
'allow_unauthenticated' => "true"), |
|
| 148 | 149 |
|
| 149 | 150 |
'msad' => array( |
| 150 | 151 |
'desc' => "Microsoft AD", |
| 151 | 152 |
'attr_user' => "samAccountName", |
| 152 | 153 |
'attr_group' => "cn", |
| 153 |
'attr_member' => "memberOf"), |
|
| 154 |
'attr_member' => "memberOf", |
|
| 155 |
'allow_unauthenticated' => "false"), |
|
| 154 | 156 |
|
| 155 | 157 |
'edir' => array( |
| 156 | 158 |
'desc' => "Novell eDirectory", |
| 157 | 159 |
'attr_user' => "cn", |
| 158 | 160 |
'attr_group' => "cn", |
| 159 |
'attr_member' => "uniqueMember")); |
|
| 161 |
'attr_member' => "uniqueMember", |
|
| 162 |
'allow_unauthenticated' => "false")); |
|
| 160 | 163 |
|
| 161 | 164 |
$radius_srvcs = array( |
| 162 | 165 |
'both' => gettext("Authentication and Accounting"),
|
| src/usr/local/www/system_authservers.php | ||
|---|---|---|
| 161 | 161 |
$pconfig['ldap_attr_groupobj'] = $a_server[$id]['ldap_attr_groupobj']; |
| 162 | 162 |
$pconfig['ldap_utf8'] = isset($a_server[$id]['ldap_utf8']); |
| 163 | 163 |
$pconfig['ldap_nostrip_at'] = isset($a_server[$id]['ldap_nostrip_at']); |
| 164 |
$pconfig['ldap_allow_unauthenticated'] = isset($a_server[$id]['ldap_allow_unauthenticated']); |
|
| 164 | 165 |
$pconfig['ldap_rfc2307'] = isset($a_server[$id]['ldap_rfc2307']); |
| 165 | 166 |
|
| 166 | 167 |
if (!$pconfig['ldap_binddn'] || !$pconfig['ldap_bindpw']) {
|
| ... | ... | |
| 336 | 337 |
} else {
|
| 337 | 338 |
unset($server['ldap_nostrip_at']); |
| 338 | 339 |
} |
| 340 |
if ($pconfig['ldap_allow_unauthenticated'] == "yes") {
|
|
| 341 |
$server['ldap_allow_unauthenticated'] = true; |
|
| 342 |
} else {
|
|
| 343 |
unset($server['ldap_allow_unauthenticated']); |
|
| 344 |
} |
|
| 339 | 345 |
if ($pconfig['ldap_rfc2307'] == "yes") {
|
| 340 | 346 |
$server['ldap_rfc2307'] = true; |
| 341 | 347 |
} else {
|
| ... | ... | |
| 765 | 771 |
$pconfig['ldap_nostrip_at'] |
| 766 | 772 |
))->setHelp('e.g. user@host becomes user when unchecked.');
|
| 767 | 773 |
|
| 774 |
$section->addInput(new Form_Checkbox( |
|
| 775 |
'ldap_allow_unauthenticated', |
|
| 776 |
'Allow unauthenticated bind', |
|
| 777 |
'Allow unauthenticated bind', |
|
| 778 |
$pconfig['ldap_allow_unauthenticated'], |
|
| 779 |
))->setHelp('Unauthenticated binds are bind with an existing login but with an empty password. '.
|
|
| 780 |
'Some LDAP servers (Microsoft AD) allow this type of bind without any possiblity to disable it.'); |
|
| 781 |
|
|
| 768 | 782 |
$form->add($section); |
| 769 | 783 |
|
| 770 | 784 |
// ==== RADIUS section ======================================================== |
| ... | ... | |
| 980 | 994 |
$('#ldap_attr_user').val("<?=$tmpldata['attr_user'];?>");
|
| 981 | 995 |
$('#ldap_attr_group').val("<?=$tmpldata['attr_group'];?>");
|
| 982 | 996 |
$('#ldap_attr_member').val("<?=$tmpldata['attr_member'];?>");
|
| 997 |
$("#ldap_allow_unauthenticated").attr("checked", <?=$tmpldata['allow_unauthenticated'];?>);
|
|
| 983 | 998 |
break; |
| 984 | 999 |
<?php |
| 985 | 1000 |
$index++; |
| src/usr/local/www/wizards/openvpn_wizard.inc | ||
|---|---|---|
| 493 | 493 |
$auth['ldap_attr_groupobj'] = $pconfig['step2']['ldap_attr_groupobj']; |
| 494 | 494 |
$auth['ldap_utf8'] = isset($pconfig['step2']['ldap_utf8']); |
| 495 | 495 |
$auth['ldap_nostrip_at'] = isset($pconfig['step2']['ldap_nostrip_at']); |
| 496 |
$auth['ldap_allow_unauthenticated'] = isset($pconfig['step2']['ldap_allow_unauthenticated']); |
|
| 496 | 497 |
|
| 497 | 498 |
} else if ($auth['type'] == "radius") {
|
| 498 | 499 |
$auth['host'] = $pconfig['step2']['ip']; |
| src/usr/local/www/wizards/openvpn_wizard.xml | ||
|---|---|---|
| 304 | 304 |
<description>e.g. user@host becomes user when unchecked.</description> |
| 305 | 305 |
<bindstofield>ovpnserver->step2->ldap_nostrip_at</bindstofield> |
| 306 | 306 |
</field> |
| 307 |
<field> |
|
| 308 |
<name>ldap_allow_unauthenticated</name> |
|
| 309 |
<displayname>Allow unauthenticated bind</displayname> |
|
| 310 |
<type>checkbox</type> |
|
| 311 |
<typehint>Allow unauthenticated bind</typehint> |
|
| 312 |
<description>Unauthenticated binds are bind with an existing login but with an empty password.</description> |
|
| 313 |
<bindstofield>ovpnserver->step2->ldap_allow_unauthenticated</bindstofield> |
|
| 314 |
</field> |
|
| 307 | 315 |
<field> |
| 308 | 316 |
<type>submit</type> |
| 309 | 317 |
<name>Add new Server</name> |
Also available in: Unified diff
Add option to disallow unauthenticated LDAP binds