SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
| Anonymous | Login | 2020-03-30 01:00 UTC |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||||
| 0004291 | Endian Firewall | OpenVPN Client and Server | public | 2012-03-05 13:46 | 2012-07-09 09:21 | ||||||
| Reporter | atlaware | ||||||||||
| Assigned To | lorenzo-endian | ||||||||||
| Priority | normal | Severity | major | Reproducibility | always | ||||||
| Status | feedback | Resolution | reopened | ||||||||
| Platform | OS | OS Version | |||||||||
| Product Version | 2.4.1 | ||||||||||
| Target Version | Fixed in Version | ||||||||||
| Summary | 0004291: openvpn ldap authentication success with BLANK password and existing username | ||||||||||
| Description | Hi, with openvpn configured with ldap authentication (https://endian.zendesk.com/entries/20655202-ssl-vpn-how-to-authenticate-vpn-users-with-active-directory [^]) login has success with blank password and correct username (existing). If username or password are wrong, login gives an authentication error, but if username is correct and password is empty authentication success. I have tested with 2.4.1 but another user has found the same bug in 2.5.0 (https://endian.zendesk.com/entries/20655202-ssl-vpn-how-to-authenticate-vpn-users-with-active-directory [^]) <- see comments setting file attached. | ||||||||||
| Additional Information | A temporary solution (grab from user jesus christ in endian forum) is to add this code: if password =='': logger.info ("FAILED to authenticate user '% s'."% (username)) unlink (filename) sys.exit (1) befor line: "authBy = authenticate(username, password)" in file /usr/bin/openvpn-auth or this for 2.5.0 version: if password == '': logger.info("FAILED to authenticate user '%s'." % (username)) return 1 But the problem is in auth ldap module that return true login without password. | ||||||||||
| Tags | No tags attached. | ||||||||||
| Attached Files |  settings.txt [^] (1,005 bytes) 2012-03-05 13:46 [Show Content]
| ||||||||||
 Relationships |
||||||
|
||||||
 Relationships |
|
Notes |
|
|
(0007912) lorenzo-endian (manager) 2012-06-13 14:53 |
Hi atlaware, I am testing the fix of this bug but I am not able to reproduce this problem before applying the fix because all the clients I use prevents me to connect with a blank password. Can you provide me which client you were using while discovering this problem? Thanks in advance Lo |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2012-03-05 13:46 | atlaware | New Issue | |
| 2012-03-05 13:46 | atlaware | File Added: settings.txt | |
| 2012-04-02 09:37 | christian-endian | Status | new => resolved |
| 2012-04-02 09:37 | christian-endian | Resolution | open => fixed |
| 2012-04-02 09:37 | christian-endian | Assigned To | => christian-endian |
| 2012-06-13 14:53 | lorenzo-endian | Assigned To | christian-endian => lorenzo-endian |
| 2012-06-13 14:53 | lorenzo-endian | Note Added: 0007912 | |
| 2012-06-13 14:53 | lorenzo-endian | Status | resolved => feedback |
| 2012-06-13 14:53 | lorenzo-endian | Resolution | fixed => reopened |
| 2012-07-09 08:22 | daniele-endian | Relationship added | child of 0004349 |
| 2012-07-09 08:23 | daniele-endian | Relationship deleted | child of 0004349 |
| 2012-07-09 09:21 | daniele-endian | Relationship added | parent of 0004349 |
|
Issue History |
| Copyright © 2000 - 2012 MantisBT Group |
 |