SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004291: openvpn ldap authentication success with BLANK password and existing username - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004291Endian FirewallOpenVPN Client and Serverpublic2012-03-05 13:462012-07-09 09:21
Reporteratlaware 
Assigned Tolorenzo-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusfeedbackResolutionreopened 
PlatformOSOS Version
Product Version2.4.1 
Target VersionFixed in Version 
Summary0004291: openvpn ldap authentication success with BLANK password and existing username
DescriptionHi,

with openvpn configured with ldap authentication (https://endian.zendesk.com/entries/20655202-ssl-vpn-how-to-authenticate-vpn-users-with-active-directory [^]) login has success with blank password and correct username (existing).

If username or password are wrong, login gives an authentication error, but if username is correct and password is empty authentication success.

I have tested with 2.4.1 but another user has found the same bug in 2.5.0
(https://endian.zendesk.com/entries/20655202-ssl-vpn-how-to-authenticate-vpn-users-with-active-directory [^]) <- see comments

setting file attached.
Additional InformationA temporary solution (grab from user jesus christ in endian forum) is to add this code:

if password =='':
         logger.info ("FAILED to authenticate user '% s'."% (username))
         unlink (filename)
         sys.exit (1)

befor line: "authBy = authenticate(username, password)" in file /usr/bin/openvpn-auth

or this for 2.5.0 version:

if password == '':
         logger.info("FAILED to authenticate user '%s'." % (username))
         return 1

But the problem is in auth ldap module that return true login without password.
TagsNo tags attached.
Attached Filestxt file icon settings.txt [^] (1,005 bytes) 2012-03-05 13:46 [Show Content]

- Relationships
parent of 0004349resolvedandrea-endian active directory authentication with openvpn doesn't work 

-  Notes
(0007912)
lorenzo-endian (manager)
2012-06-13 14:53

Hi atlaware,

I am testing the fix of this bug but I am not able to reproduce this problem before applying the fix because all the clients I use prevents me to connect with a blank password.

Can you provide me which client you were using while discovering this problem?

Thanks in advance

Lo

- Issue History
Date Modified Username Field Change
2012-03-05 13:46 atlaware New Issue
2012-03-05 13:46 atlaware File Added: settings.txt
2012-04-02 09:37 christian-endian Status new => resolved
2012-04-02 09:37 christian-endian Resolution open => fixed
2012-04-02 09:37 christian-endian Assigned To => christian-endian
2012-06-13 14:53 lorenzo-endian Assigned To christian-endian => lorenzo-endian
2012-06-13 14:53 lorenzo-endian Note Added: 0007912
2012-06-13 14:53 lorenzo-endian Status resolved => feedback
2012-06-13 14:53 lorenzo-endian Resolution fixed => reopened
2012-07-09 08:22 daniele-endian Relationship added child of 0004349
2012-07-09 08:23 daniele-endian Relationship deleted child of 0004349
2012-07-09 09:21 daniele-endian Relationship added parent of 0004349

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker