WebGUI authentication with blank password and AD backend
-
We are using Active Directory accounts to authenticate to the webGUI and have discovered that leaving the password blank results in a successful authentication attempt. I doubt this is the intended behaviour.
This normally occurs when the back-end LDAP server treats a bind attempt with no password as anonymous and returns success even when a user was specified. Could this be prevented by pfSense disallowing bind attempts with blank passwords when authenticating to the webGUI?
The pfSense version is 2.0.1-RELEASE (i386) built on Mon Dec 12 18:24:17 EST 2011 FreeBSD 8.1-RELEASE-p6
==== UPDATE ====
Adding the following code to the start of the ldap_backed function in auth.inc fixes the perceived issue:
if(!$passwd) {
log_error("ERROR! No password entered.");
return false;
} -
Open a ticket at http://redmine.pfsense.org/ and we'll check on it. There aren't a lot of people out there using LDAP auth for the GUI so any input we get there is appreciated.
-
Registered as Bug #2326.
