connect via LDAP without password

Home Forums General Report a Bug connect via LDAP without password

  • This topic is empty.
Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #30012
    ntservis
    Participant

    Hello,

    I use verison 4.0.1 32-bit with LDAP authentication. When I try connect via AD user, I can connect without correct password. Cerberus local users works fine.

    Thanks

    #35717
    imported_Serin
    Participant

    Hello,

    Do you mean you are connecting to an Active Directory server via LDAP and the users authenticate even with the wrong password?

    #35718
    imported_Serin
    Participant

    Also, can you post a log file showing the issue? I’ve done some additional testing with LDAP authentication and password validation seems to be working fine.

    #35719
    ntservis
    Participant

    Yes, exactly as you write. I am connecting to AD server via LDAP and user is autheticated even whit wrong (blank) password.

    This is log of connecting user with blank password.

    [2010-05-27 11:25:28]:CONNECT [Server] – Incoming connection request on interface 8 at

    [2010-05-27 11:25:28]:CONNECT [Server] – SSH FTP Connection request accepted from

    [2010-05-27 11:25:29]:CONNECT [ 73] – Key Exchange Algorithm Negotiation Success: Proceeding with key exchange

    [2010-05-27 11:25:29]:CONNECT [ 73] – Kex: ‘diffie-hellman-group-exchange-sha1’ Host Key: ‘ssh-rsa’ C2S : ‘aes256-cbc, hmac-sha1, none’ S2C : ‘aes256-cbc, hmac-sha1, none’

    [2010-05-27 11:25:29]:CONNECT [ 73] –

    [2010-05-27 11:25:29]: INFO [ 73] – DH Key sizes: Server Public ‘2045’, Private ‘2047’, Client Public ‘2045’

    [2010-05-27 11:25:30]:CONNECT [ 73] – Client username: ‘user’ password: ‘***********’

    [2010-05-27 11:25:30]:CONNECT [ 73] – LDAP user ‘user’ authenticated

    [2010-05-27 11:25:30]: SYSTEM [ 73] – Channel Open: ‘session’, Sender Channel: 256, Init Window Size: 16384, Max Packet Size: 16384

    [2010-05-27 11:25:30]:CONNECT [ 73] – Creating local channel: 640

    [2010-05-27 11:25:30]:CONNECT [ 73] – Channel Request: ‘subsystem’, Recipient Channel: 640, Subsystem Name: ‘sftp’, Reply: true

    [2010-05-27 11:25:30]:COMMAND [ 73] – Client SFTP version: 3

    [2010-05-27 11:25:30]:COMMAND [ 73] – Real Path for ‘.’

    [2010-05-27 11:25:30]:COMMAND [ 73] – Real Path for ‘/.’

    [2010-05-27 11:25:31]:COMMAND [ 73] – Opening directory handle to ‘/’

    [2010-05-27 11:25:31]: SYSTEM [ 73] – Handle ‘/’ closed

    [2010-05-27 11:25:39]: INFO [ 73] – Received EOF on channel ‘640’

    [2010-05-27 11:25:39]:CONNECT [ 73] – Sending EOF for channel ‘256’

    [2010-05-27 11:25:39]:CONNECT [ 73] – Sending Close for channel ‘256’

    [2010-05-27 11:25:39]:CONNECT [ 73] – Channel ‘640’ removed

    [2010-05-27 11:25:39]:CONNECT [ 73] – Request to close channel ‘640’

    [2010-05-27 11:25:39]:CONNECT [ 73] – The client closed the connection

    [2010-05-27 11:25:39]:CONNECT [ 73] – Connection terminated

    This is my LDAP settings: http://leteckaposta.cz/653693584

    Thanks

    #35720
    imported_Serin
    Participant

    I’m doing some further testing now. Authentication seems to be working correctly with FTP and FTPS, but not SFTP. I’ll get back to you soon.

    #35721
    imported_Serin
    Participant

    It appears what is happening is that an LDAP authenticate with no password will work (it is being interpreted as an anonymous bind by your LDAP server) but an LDAP authentication with the wrong password is correctly rejected.

    For SFTP, there is always an attempt to LDAP authenticate first with no password so the authentication request is always working and proceeding as an anonymous LDAP bind.

    We have a fix available now and will post a new version today to resolve the issue.

    #35722
    imported_Serin
    Participant

    We’ve posted version 4.0.1.1 that should completely resolve the LDAP issue. Please let me know if it resolves your LDAP issue.

    Thanks for reporting this bug to us.

    #35723
    ntservis
    Participant

    Hello,

    with new version it works. I’ll still be tested, but I think it will be OK.

    Thanks for prompt solution.

    #35724
    ntservis
    Participant

    I tested users access with authentication using LDAP. Everythink works fine.

    The only mistake is that, I can sign despite disabled account. Can You remove this little problem?

    Thanks

    #35725
    imported_Serin
    Participant

    Yes, we can take advantage of that for group accounts. Originally we used group accounts with LDAP and Active Directory as simply a way to link in virtual directories and to require or not require secure connections. All of the other group settings are ignored for Active Directory and LDAP.

    However, there is no reason we can’t (and shouldn’t) examine the disabled flag. We will add in support for disabled groups with LDAP and Active Directory in a minor release sometime next week.

Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.
Close Cart

Shopping Cart