WebGUI authentication with blank password and AD backend

KaneR

We are using Active Directory accounts to authenticate to the webGUI and have discovered that leaving the password blank results in a successful authentication attempt.  I doubt this is the intended behaviour.

This normally occurs when the back-end LDAP server treats a bind attempt with no password as anonymous and returns success even when a user was specified.  Could this be prevented by pfSense disallowing bind attempts with blank passwords when authenticating to the webGUI?

The pfSense version is 2.0.1-RELEASE (i386) built on Mon Dec 12 18:24:17 EST 2011 FreeBSD 8.1-RELEASE-p6

==== UPDATE ====

Adding the following code to the start of the ldap_backed function in auth.inc fixes the perceived issue:

if(!$passwd) {
    log_error("ERROR!  No password entered.");
    return false;
}

jimp

Open a ticket at http://redmine.pfsense.org/ and we'll check on it. There aren't a lot of people out there using LDAP auth for the GUI so any input we get there is appreciated.

KaneR

Registered as Bug #2326.