WingFTP user authenticate sequence:
1) User "JOE" login with password "JOE2010".
2) Check the local user account to see if there is a account called "JOE".
2-1) if it exists, further check the local password. If password is correct, your login is successful. Otherwise, login has failed.
2-2) if the account does not exist, do LDAP authentication.
2-2-1) After completing the LDAP authentication, check if "JOE" has been mapped to a local user.
2-2-1-1) If "JOE" is mapped to a local user named "Local_JOE", then it will get all the attributes of "Local_JOE".
2-2-1-2) If there is no mapping for "JOE", take the LDAP authentication "Default Home Dir" as its home directory.
2-2-2) If the LDAP authentication fails, the login fails too.
For LDAP and or windows authentication (step 2-2-1-2) is it possible to configure it so that if LDAP/AD authentication succeeds and there is no LDAP/AD to local user mapping then access is denied. Maybe some kind of mapping/check box to enforce?
Basically the concern is that because we have our WingFTP server facing the internet it then creates a security risk if the default is to allow access
if there is a matching AD account. Essentially an attacker can use the WingFTP server to ‘validate’ usernames/passwords.
http://www.wftpserver.com/help/ftpserve ... torage.htm" rel="nofollow" rel="nofollow
Post here if you have some suggestions or you want to request a new feature.
2 posts • Page 1 of 1
- Posts: 1
- Joined: Thu May 25, 2017 4:26 am
- Site Admin
- Posts: 1917
- Joined: Tue Sep 29, 2009 6:09 am
If you handle the user login by the LDAP authentication all, then you can add the following Lua script into "Event Manager -> FTP (HTTP/SSH) Events -> OnUserLoggedIn -> Lua Script":
Code: Select all
local strDomain = "%Domain" local strADUser = "%Name" local strMapping = c_GetOptionStr(strDomain,DOPTION_LDAP_MAPPING_STR) if not string.find(strMapping, "%Name"..":") then c_KickSessionByName(strDomain, strADUser) end