weird LDAP auth behavior

[gerflo09]

Hi all,

I'm pretty new to OPNsense and I'm impressed by the state of the software and the UI. It's really sophisticated and intuitive, but also nice looking ;-)

But I have a strange behavior here with the authorization against a Windows 2003 AD:

I can connect to LDAP with  correct bind credentials and get the authentication containers and so on, so LDAP connection seems to be OK.
When I test user credentials against this server, he don't accept credentials in the form of username@myDomain.com.
BUT, he accepts EVERY name or password combination, as soon as I write it in the form of DOMAIN\username.
That means, that he will let me in, even if I have totally garbage as my credentials. All I have to know is the name of the AD domain! So everyone can access the firewall???

What am I doing wrong here?

[gerflo09]

Shall I file this as a bug?

[AdSchellevis]

Hi gerflo09,

When using ldap authentication for the webgui you need to import the respective users into OPNsense first to be able to grant them rights (when ldap is the default auth, there will be a small icon at the right bottom corner in the user manager).

When using the test button on the authentication page, it will first check the user database for a linked dn and then tries to connect that userdn with the provided password.
If there is no local linked user available (and hence no ACL), it will do an ldap search and tries to perform a connect for the first found user.

The only reason I can think of when a random user/pass combination is accepted is when your active directory server has anonymous bind enabled.

Regards,

Ad

[gerflo09]

Thank you for the information.
Id did so, but now I get the following message on some users:

"The username contains invalid characters."

Unfortunately the LDAP connector uses the full name for the username and some of us have ß or ö in their names.
I'm also not able to edit the name - is there a solution for that?

[weust]

Have a look at this. Maybe it can help you?