Only allow LDAP/AD Login if there is a local mapping

Post here if you have some suggestions or you want to request a new feature.

Only allow LDAP/AD Login if there is a local mapping

Postby ausotechteam » Thu May 25, 2017 11:16 pm

WingFTP user authenticate sequence:
1) User "JOE" login with password "JOE2010".
2) Check the local user account to see if there is a account called "JOE".
2-1) if it exists, further check the local password. If password is correct, your login is successful. Otherwise, login has failed.
2-2) if the account does not exist, do LDAP authentication.
2-2-1) After completing the LDAP authentication, check if "JOE" has been mapped to a local user.
2-2-1-1) If "JOE" is mapped to a local user named "Local_JOE", then it will get all the attributes of "Local_JOE".
2-2-1-2) If there is no mapping for "JOE", take the LDAP authentication "Default Home Dir" as its home directory.
2-2-2) If the LDAP authentication fails, the login fails too.


For LDAP and or windows authentication (step 2-2-1-2) is it possible to configure it so that if LDAP/AD authentication succeeds and there is no LDAP/AD to local user mapping then access is denied. Maybe some kind of mapping/check box to enforce?
Basically the concern is that because we have our WingFTP server facing the internet it then creates a security risk if the default is to allow access
if there is a matching AD account. Essentially an attacker can use the WingFTP server to ‘validate’ usernames/passwords.

http://www.wftpserver.com/help/ftpserver/index.html?data_storage.htm" rel="nofollow
ausotechteam
 
1
 
Thu May 25, 2017 4:26 am

Re: Only allow LDAP/AD Login if there is a local mapping

Postby FTP » Thu Jun 01, 2017 2:50 pm

If you handle the user login by the LDAP authentication all, then you can add the following Lua script into "Event Manager -> FTP (HTTP/SSH) Events -> OnUserLoggedIn -> Lua Script":

Code: Select all
local strDomain = "%Domain"
local strADUser = "%Name"
local strMapping = c_GetOptionStr(strDomain,DOPTION_LDAP_MAPPING_STR)

if not string.find(strMapping, "%Name"..":") then
   c_KickSessionByName(strDomain, strADUser)
end
FTP
Site Admin
 
1876
 
Tue Sep 29, 2009 6:09 am


Return to Suggestions & Wishlist

Who is online

Users browsing this forum: No registered users and 1 guest