Only allow LDAP/AD Login if there is a local mapping

Post here if you have some suggestions or you want to request a new feature.
Post Reply
ausotechteam
Posts: 1
Joined: Thu May 25, 2017 4:26 am

Only allow LDAP/AD Login if there is a local mapping

Post by ausotechteam »

WingFTP user authenticate sequence:
1) User "JOE" login with password "JOE2010".
2) Check the local user account to see if there is a account called "JOE".
2-1) if it exists, further check the local password. If password is correct, your login is successful. Otherwise, login has failed.
2-2) if the account does not exist, do LDAP authentication.
2-2-1) After completing the LDAP authentication, check if "JOE" has been mapped to a local user.
2-2-1-1) If "JOE" is mapped to a local user named "Local_JOE", then it will get all the attributes of "Local_JOE".
2-2-1-2) If there is no mapping for "JOE", take the LDAP authentication "Default Home Dir" as its home directory.
2-2-2) If the LDAP authentication fails, the login fails too.


For LDAP and or windows authentication (step 2-2-1-2) is it possible to configure it so that if LDAP/AD authentication succeeds and there is no LDAP/AD to local user mapping then access is denied. Maybe some kind of mapping/check box to enforce?
Basically the concern is that because we have our WingFTP server facing the internet it then creates a security risk if the default is to allow access
if there is a matching AD account. Essentially an attacker can use the WingFTP server to ‘validate’ usernames/passwords.

http://www.wftpserver.com/help/ftpserve ... torage.htm" rel="nofollow" rel="nofollow
FTP
Site Admin
Posts: 1917
Joined: Tue Sep 29, 2009 6:09 am

Re: Only allow LDAP/AD Login if there is a local mapping

Post by FTP »

If you handle the user login by the LDAP authentication all, then you can add the following Lua script into "Event Manager -> FTP (HTTP/SSH) Events -> OnUserLoggedIn -> Lua Script":

Code: Select all

local strDomain = "%Domain"
local strADUser = "%Name"
local strMapping = c_GetOptionStr(strDomain,DOPTION_LDAP_MAPPING_STR)

if not string.find(strMapping, "%Name"..":") then
	c_KickSessionByName(strDomain, strADUser)
end
Post Reply