SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004291: openvpn ldap authentication success with BLANK password and existing username - MantisBT
MantisBT - Endian Firewall
View Issue Details
0004291Endian FirewallOpenVPN Client and Serverpublic2012-03-05 13:462012-07-09 09:21
atlaware 
lorenzo-endian 
normalmajoralways
feedbackreopened 
2.4.1 
 
0004291: openvpn ldap authentication success with BLANK password and existing username
Hi,

with openvpn configured with ldap authentication (https://endian.zendesk.com/entries/20655202-ssl-vpn-how-to-authenticate-vpn-users-with-active-directory [^]) login has success with blank password and correct username (existing).

If username or password are wrong, login gives an authentication error, but if username is correct and password is empty authentication success.

I have tested with 2.4.1 but another user has found the same bug in 2.5.0
(https://endian.zendesk.com/entries/20655202-ssl-vpn-how-to-authenticate-vpn-users-with-active-directory [^]) <- see comments

setting file attached.
A temporary solution (grab from user jesus christ in endian forum) is to add this code:

if password =='':
         logger.info ("FAILED to authenticate user '% s'."% (username))
         unlink (filename)
         sys.exit (1)

befor line: "authBy = authenticate(username, password)" in file /usr/bin/openvpn-auth

or this for 2.5.0 version:

if password == '':
         logger.info("FAILED to authenticate user '%s'." % (username))
         return 1

But the problem is in auth ldap module that return true login without password.
No tags attached.
parent of 0004349resolved andrea-endian active directory authentication with openvpn doesn't work 
txt settings.txt (1,005) 2012-03-05 13:46
https://bugs.endian.com/file_download.php?file_id=918&type=bug
Issue History
2012-03-05 13:46atlawareNew Issue
2012-03-05 13:46atlawareFile Added: settings.txt
2012-04-02 09:37christian-endianStatusnew => resolved
2012-04-02 09:37christian-endianResolutionopen => fixed
2012-04-02 09:37christian-endianAssigned To => christian-endian
2012-06-13 14:53lorenzo-endianAssigned Tochristian-endian => lorenzo-endian
2012-06-13 14:53lorenzo-endianNote Added: 0007912
2012-06-13 14:53lorenzo-endianStatusresolved => feedback
2012-06-13 14:53lorenzo-endianResolutionfixed => reopened
2012-07-09 08:22daniele-endianRelationship addedchild of 0004349
2012-07-09 08:23daniele-endianRelationship deletedchild of 0004349
2012-07-09 09:21daniele-endianRelationship addedparent of 0004349

Notes
(0007912)
lorenzo-endian   
2012-06-13 14:53   
Hi atlaware,

I am testing the fix of this bug but I am not able to reproduce this problem before applying the fix because all the clients I use prevents me to connect with a blank password.

Can you provide me which client you were using while discovering this problem?

Thanks in advance

Lo