Re: [Packetfence-users] LDAP auth for webui issue in PF 2.2.1

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

HI Nicholas,

> I updated to PF 2.2.1 last night, everything is working great with the 
> exception that the PF admin WebUI login is requiring a valid username 
> from the context I have specified in admin_ldap.conf, but ignoring the 
> password entered, and a password does not even need to be entered. A 
> tcpdump on the PF server confirms that PF is checking the username 
> against the LDAP server.
>
That's seems quite weird to me, it should also check that the password 
is working by binding to the LDAP server with the user credentials.
>
> In checking the documentation, I have no user.conf anywhere. I also 
> noticed in the PF 2.2.1 source distro that there is a ui.conf that I 
> don't have in my RPM updated 2.2.1 install (although I don't know that 
> that file plays any role in the WebUI setup/authentication.
>
user.conf is for the captive portal authentication, not the admin UI.

> Upon further testing, I noticed the following when authentication to 
> the admin webui:
>
> 1)The username must be in the LDAP source specified in the admin_ldap.conf
>
> 2)The username does not also need to be specified in admin.perm
>
> 3)None of the usernames in the LDAP source exist in the admin.conf file
>
> 4)The username used works with and without the use of a password
>
> Because of items 3 and 4 above, it seems that some functionality in 
> login.php is not work properly....I noticed that there is a function 
> that is supposed to check for null passwords, which does not seem to 
> be working. The function for validating the username against a local 
> flat file when no result comes from LDAP seems to not be working 
> correctly. AD/LDAP does not permit anonymous binds, yet somehow LDAP 
> is being used to some degree as revealed by tcpdump captures.
>
If you put no password, it should try to do an anonymous bind and fail.  
If it passes, that mean that the anonymous bind pass.  Can you show us 
using an ldapsearch that the anonymous binds are NOT working?

-- 
Francois Gaudreault, ing. jr
fga...@in...  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)