SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004291: openvpn ldap authentication success with BLANK password and existing username - MantisBT
MantisBT - Endian Firewall
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0004291Endian FirewallOpenVPN Client and Serverpublic2012-03-05 13:462012-07-09 09:21
Reporteratlaware 
Assigned Tolorenzo-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusfeedbackResolutionreopened 
PlatformOSOS Version
Product Version2.4.1 
Target VersionFixed in Version 
Customer Importance
Customer Occurrences
Queue
Summary0004291: openvpn ldap authentication success with BLANK password and existing username
DescriptionHi,

with openvpn configured with ldap authentication (https://endian.zendesk.com/entries/20655202-ssl-vpn-how-to-authenticate-vpn-users-with-active-directory [^]) login has success with blank password and correct username (existing).

If username or password are wrong, login gives an authentication error, but if username is correct and password is empty authentication success.

I have tested with 2.4.1 but another user has found the same bug in 2.5.0
(https://endian.zendesk.com/entries/20655202-ssl-vpn-how-to-authenticate-vpn-users-with-active-directory [^]) <- see comments

setting file attached.
Steps To Reproduce
Additional InformationA temporary solution (grab from user jesus christ in endian forum) is to add this code:

if password =='':
         logger.info ("FAILED to authenticate user '% s'."% (username))
         unlink (filename)
         sys.exit (1)

befor line: "authBy = authenticate(username, password)" in file /usr/bin/openvpn-auth

or this for 2.5.0 version:

if password == '':
         logger.info("FAILED to authenticate user '%s'." % (username))
         return 1

But the problem is in auth ldap module that return true login without password.
TagsNo tags attached.
Relationships
parent of 0004349resolved andrea-endian active directory authentication with openvpn doesn't work 
Attached Filestxt settings.txt (1,005) 2012-03-05 13:46
https://bugs.endian.com/file_download.php?file_id=918&type=bug
Issue History
Date ModifiedUsernameFieldChange
2012-03-05 13:46atlawareNew Issue
2012-03-05 13:46atlawareFile Added: settings.txt
2012-04-02 09:37christian-endianStatusnew => resolved
2012-04-02 09:37christian-endianResolutionopen => fixed
2012-04-02 09:37christian-endianAssigned To => christian-endian
2012-06-13 14:53lorenzo-endianAssigned Tochristian-endian => lorenzo-endian
2012-06-13 14:53lorenzo-endianNote Added: 0007912
2012-06-13 14:53lorenzo-endianStatusresolved => feedback
2012-06-13 14:53lorenzo-endianResolutionfixed => reopened
2012-07-09 08:22daniele-endianRelationship addedchild of 0004349
2012-07-09 08:23daniele-endianRelationship deletedchild of 0004349
2012-07-09 09:21daniele-endianRelationship addedparent of 0004349

Notes
(0007912)
lorenzo-endian   
2012-06-13 14:53   
Hi atlaware,

I am testing the fix of this bug but I am not able to reproduce this problem before applying the fix because all the clients I use prevents me to connect with a blank password.

Can you provide me which client you were using while discovering this problem?

Thanks in advance

Lo