HI Nicholas,
I updated to PF 2.2.1 last night, everything is working great with the
exception that the PF admin WebUI login is requiring a valid username
from the context I have specified in admin_ldap.conf, but ignoring the
password entered, and a password does not even need to be entered. A
tcpdump on the PF server confirms that PF is checking the username
against the LDAP server.
That's seems quite weird to me, it should also check that the password
is working by binding to the LDAP server with the user credentials.
In checking the documentation, I have no user.conf anywhere. I also
noticed in the PF 2.2.1 source distro that there is a ui.conf that I
don't have in my RPM updated 2.2.1 install (although I don't know that
that file plays any role in the WebUI setup/authentication.
user.conf is for the captive portal authentication, not the admin UI.
Upon further testing, I noticed the following when authentication to
the admin webui:
1)The username must be in the LDAP source specified in the admin_ldap.conf
2)The username does not also need to be specified in admin.perm
3)None of the usernames in the LDAP source exist in the admin.conf file
4)The username used works with and without the use of a password
Because of items 3 and 4 above, it seems that some functionality in
login.php is not work properly....I noticed that there is a function
that is supposed to check for null passwords, which does not seem to
be working. The function for validating the username against a local
flat file when no result comes from LDAP seems to not be working
correctly. AD/LDAP does not permit anonymous binds, yet somehow LDAP
is being used to some degree as revealed by tcpdump captures.
If you put no password, it should try to do an anonymous bind and fail.
If it passes, that mean that the anonymous bind pass. Can you show us
using an ldapsearch that the anonymous binds are NOT working?
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
