Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
weird LDAP auth behavior
« previous
next »
Print
Pages: [
1
]
Author
Topic: weird LDAP auth behavior (Read 5191 times)
gerflo09
Newbie
Posts: 28
Karma: 0
weird LDAP auth behavior
«
on:
May 26, 2016, 02:12:13 pm »
Hi all,
I'm pretty new to OPNsense and I'm impressed by the state of the software and the UI. It's really sophisticated and intuitive, but also nice looking ;-)
But I have a strange behavior here with the authorization against a Windows 2003 AD:
I can connect to LDAP with correct bind credentials and get the authentication containers and so on, so LDAP connection seems to be OK.
When I test user credentials against this server, he don't accept credentials in the form of username@myDomain.com.
BUT, he accepts EVERY name or password combination, as soon as I write it in the form of DOMAIN\username.
That means, that he will let me in, even if I have totally garbage as my credentials. All I have to know is the name of the AD domain! So everyone can access the firewall???
What am I doing wrong here?
Logged
gerflo09
Newbie
Posts: 28
Karma: 0
Re: weird LDAP auth behavior
«
Reply #1 on:
May 26, 2016, 08:15:49 pm »
Shall I file this as a bug?
Logged
AdSchellevis
Administrator
Hero Member
Posts: 904
Karma: 183
Re: weird LDAP auth behavior
«
Reply #2 on:
May 27, 2016, 10:00:43 am »
Hi gerflo09,
When using ldap authentication for the webgui you need to import the respective users into OPNsense first to be able to grant them rights (when ldap is the default auth, there will be a small icon at the right bottom corner in the user manager).
When using the test button on the authentication page, it will first check the user database for a linked dn and then tries to connect that userdn with the provided password.
If there is no local linked user available (and hence no ACL), it will do an ldap search and tries to perform a connect for the first found user.
The only reason I can think of when a random user/pass combination is accepted is when your active directory server has anonymous bind enabled.
Regards,
Ad
Logged
gerflo09
Newbie
Posts: 28
Karma: 0
Re: weird LDAP auth behavior
«
Reply #3 on:
May 29, 2016, 12:19:52 am »
Thank you for the information.
Id did so, but now I get the following message on some users:
"The username contains invalid characters."
Unfortunately the LDAP connector uses the full name for the username and some of us have ß or ö in their names.
I'm also not able to edit the name - is there a solution for that?
Logged
weust
Hero Member
Posts: 650
Karma: 57
Re: weird LDAP auth behavior
«
Reply #4 on:
May 29, 2016, 11:01:25 am »
Have a look at
this
. Maybe it can help you?
Logged
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
weird LDAP auth behavior