rlm_ldap: Successful login with empty password
Nick Porter
nick at portercomputing.co.uk
Mon May 6 10:39:53 UTC 2024
On 06/05/2024 11:30, Simon N via Freeradius-Users wrote:
> I am currently testing version 4. I am using the latest commit (3b422574). I noticed that if the LDAP module is configured with an Active Directory, a user can successfully log in with an empty password. I think that this behaviour is not correct or?
>
> (1) User object found at DN "CN=test,CN=Users,DC=freeradius,DC=local"
> (1) Using user DN from request "CN=test,CN=Users,DC=freeradius,DC=local"
> (1) Login attempt as "CN=test,CN=Users,DC=freeradius,DC=local"
> (1) rlm_ldap bind auth - [2] Trunk connection assigned request 5
> rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> FULL
> (1) ldap - Starting bind auth operation as CN=test,CN=Users,DC=freeradius,DC=local
> (1) ldap - function - Resuming execution
> (1) Bind as user "CN=test,CN=Users,DC=freeradius,DC=local" was successful
The key here is that AD has allowed the user to bind - FreeRADIUS ldap
authentication attempts to bind as the user, having used the appropriate
filter to find the user's DN - if AD has accepted that bind, then the
user is authenticated.
So AD has not required the use of a password. If AD cannot be
configured to require a password for LDAP binds, then you should add
policy to your FreeRADIUS configuration to reject authentication
requests without a password.
Nick
--
Nick Porter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20240506/69196ad4/attachment.sig>
More information about the Freeradius-Users
mailing list