rlm_ldap: Successful login with empty password

Nick Porter nick at portercomputing.co.uk
Mon May 6 10:39:53 UTC 2024


On 06/05/2024 11:30, Simon N via Freeradius-Users wrote:
> I am currently testing version 4. I am using the latest commit (3b422574). I noticed that if the LDAP module is configured with an Active Directory, a user can successfully log in with an empty password. I think that this behaviour is not correct or?
>
> (1) User object found at DN "CN=test,CN=Users,DC=freeradius,DC=local"
> (1) Using user DN from request "CN=test,CN=Users,DC=freeradius,DC=local"
> (1) Login attempt as "CN=test,CN=Users,DC=freeradius,DC=local"
> (1) rlm_ldap bind auth - [2] Trunk connection assigned request 5
> rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> FULL
> (1) ldap - Starting bind auth operation as CN=test,CN=Users,DC=freeradius,DC=local
> (1) ldap - function - Resuming execution
> (1) Bind as user "CN=test,CN=Users,DC=freeradius,DC=local" was successful

The key here is that AD has allowed the user to bind - FreeRADIUS ldap 
authentication attempts to bind as the user, having used the appropriate 
filter to find the user's DN - if AD has accepted that bind, then the 
user is authenticated.

So AD has not required the use of a password.  If AD cannot be 
configured to require a password for LDAP binds, then you should add 
policy to your FreeRADIUS configuration to reject authentication 
requests without a password.

Nick

-- 
Nick Porter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20240506/69196ad4/attachment.sig>


More information about the Freeradius-Users mailing list