WebGUI authentication with blank password and AD backend

  • We are using Active Directory accounts to authenticate to the webGUI and have discovered that leaving the password blank results in a successful authentication attempt.  I doubt this is the intended behaviour.

    This normally occurs when the back-end LDAP server treats a bind attempt with no password as anonymous and returns success even when a user was specified.  Could this be prevented by pfSense disallowing bind attempts with blank passwords when authenticating to the webGUI?

    The pfSense version is 2.0.1-RELEASE (i386) built on Mon Dec 12 18:24:17 EST 2011 FreeBSD 8.1-RELEASE-p6

    ==== UPDATE ====

    Adding the following code to the start of the ldap_backed function in auth.inc fixes the perceived issue:

    if(!$passwd) {
        log_error("ERROR!  No password entered.");
        return false;

  • Rebel Alliance Developer Netgate

    Open a ticket at http://redmine.pfsense.org/ and we'll check on it. There aren't a lot of people out there using LDAP auth for the GUI so any input we get there is appreciated.

  • Registered as Bug #2326.

Log in to reply