Anonymous binds are not permitted. See below:
[root@pfence01 conf]# ldapsearch -h 10.10.0.26 -p 389 -x -b
"OU=IS,OU=Users,OU=American OUs,dc=ds,dc=atv"
# extended LDIF
#
# LDAPv3
# base <OU=IS,OU=Users,OU=American OUs,dc=ds,dc=atv> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform
this ope
ration a successful bind must be completed on the connection., data 0,
vece
# numResponses: 1
[root@pfence01 conf]#
[root@pfence01 conf]# ldapsearch -h 10.10.0.26 -x -b
"OU=IS,OU=Users,OU=American OUs,dc=ds,dc=atv"
# extended LDIF
#
# LDAPv3
# base <OU=IS,OU=Users,OU=American OUs,dc=ds,dc=atv> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform
this ope
ration a successful bind must be completed on the connection., data 0,
vece
# numResponses: 1
From: Francois Gaudreault [mailto:[email protected]]
Sent: Thursday, June 30, 2011 12:14 PM
To: [email protected]
Subject: Re: [Packetfence-users] LDAP auth for webui issue in PF 2.2.1
HI Nicholas,
I updated to PF 2.2.1 last night, everything is working great with the
exception that the PF admin WebUI login is requiring a valid username
from the context I have specified in admin_ldap.conf, but ignoring the
password entered, and a password does not even need to be entered. A
tcpdump on the PF server confirms that PF is checking the username
against the LDAP server.
That's seems quite weird to me, it should also check that the password
is working by binding to the LDAP server with the user credentials.
In checking the documentation, I have no user.conf anywhere. I also
noticed in the PF 2.2.1 source distro that there is a ui.conf that I
don't have in my RPM updated 2.2.1 install (although I don't know that
that file plays any role in the WebUI setup/authentication.
user.conf is for the captive portal authentication, not the admin UI.
Upon further testing, I noticed the following when authentication to the
admin webui:
The username must be in the LDAP source specified in the admin_ldap.conf
The username does not also need to be specified in admin.perm
None of the usernames in the LDAP source exist in the admin.conf file
The username used works with and without the use of a password
Because of items 3 and 4 above, it seems that some functionality in
login.php is not work properly....I noticed that there is a function
that is supposed to check for null passwords, which does not seem to be
working. The function for validating the username against a local flat
file when no result comes from LDAP seems to not be working correctly.
AD/LDAP does not permit anonymous binds, yet somehow LDAP is being used
to some degree as revealed by tcpdump captures.
If you put no password, it should try to do an anonymous bind and fail.
If it passes, that mean that the anonymous bind pass. Can you show us
using an ldapsearch that the anonymous binds are NOT working?
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
