On 06/05/2024 11:30, Simon N via Freeradius-Users wrote:
I am currently testing version 4. I am using the latest commit (3b422574). I noticed that if the LDAP module is configured with an Active Directory, a user can successfully log in with an empty password. I think that this behaviour is not correct or?
(1) User object found at DN "CN=test,CN=Users,DC=freeradius,DC=local" (1) Using user DN from request "CN=test,CN=Users,DC=freeradius,DC=local" (1) Login attempt as "CN=test,CN=Users,DC=freeradius,DC=local" (1) rlm_ldap bind auth - [2] Trunk connection assigned request 5 rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> FULL (1) ldap - Starting bind auth operation as CN=test,CN=Users,DC=freeradius,DC=local (1) ldap - function - Resuming execution (1) Bind as user "CN=test,CN=Users,DC=freeradius,DC=local" was successful
The key here is that AD has allowed the user to bind - FreeRADIUS ldap authentication attempts to bind as the user, having used the appropriate filter to find the user's DN - if AD has accepted that bind, then the user is authenticated. So AD has not required the use of a password. If AD cannot be configured to require a password for LDAP binds, then you should add policy to your FreeRADIUS configuration to reject authentication requests without a password. Nick -- Nick Porter