Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Quaid0808

Pages1
#1
17.1 Legacy Series / Re: Captive Portal login with blank password when using LDAP
February 22, 2017, 08:44:47 PM
Hi,

Output from logfile with different scenarios:
Trying a unknown user: (null password)

Feb 22 19:40:55 OPNsensetest captiveportal[60900]: DENY eyvindh (192.168.10.50) zone 0

Trying a user with wrong password:

Feb 22 19:42:08 OPNsensetest captiveportal[60900]: LDAP bind error (Invalid cred                                          entials)
Feb 22 19:42:08 OPNsensetest captiveportal[60900]: DENY eyvind (192.168.10.50) z                                          one 0

Trying a known user with blank password:
Feb 22 19:42:31 OPNsensetest captiveportal[60900]: AUTH eyvind (192.168.10.50) zone 0

Same result with correct username/password.

Best regards,
Eyvind
#2
17.1 Legacy Series / Re: Captive Portal login with blank password when using LDAP
February 22, 2017, 03:23:20 PM
About AD and anonymous binds:

Active Directory (past Windows 2000) does not allow anonymous operations other than rootDSE searches, by default. So, if you are able to bind anonymously to Active Directory, that means one of two things. Either

    You are connecting to RootDSE, for which anonymous binds should be allowed by design.
    You have already modified Active Directory to allow anonymous binds for non-rootDSE operations and now you need to revert that configuration.

Anonymous binds to RootDSE should be allowed, because RootDSE is how most applications obtain information about the directory in order to complete further binds, such as distinguished names of various partitions, etc. No sensitive information is contained within RootDSE, and anonymous binding to RootDSE is how it was designed to work. Things will break if applications cannot bind anonymously to RootDSE.
#3
17.1 Legacy Series / Re: Captive Portal login with blank password when using LDAP
February 22, 2017, 02:59:04 PM
Hi. Thanks for reply.

I have not found any solution for LDAP. Tester works like it should, blank password not allowed, and connection to LDAP server is with binding (username/password).
I changed server to Radius, and then captive portal is working as expected.

I have also tried with 2 different Active Directory servers, one which was installed from start with Windows 2012 server, but the same happens here.

Also: I have OpenVPN running with same LDAP server, and here blank password is refused, so I still think there is a bug in captive portal...

Best regards,
Eyvind
#4
17.1 Legacy Series / Captive Portal login with blank password when using LDAP
February 22, 2017, 08:21:07 AM
Hi.

We have discovered a bug in captive portal, at least after upgrade to 17.1.1.
Captive portal with LDAP backend allows login with blank password as long as username is correct.
If typing wrong password, access is denied, correct password is working as expected.
We have tried to delete the captive portal and installed a new in 17.1, but as long as using LDAP backend, blank password is allowed.
When using local users, then captive portal is working as expected.

Best regards,
Eyvind
Pages1