Only allow LDAP/AD Login if there is a local mapping
Posted: Thu May 25, 2017 11:16 pm
WingFTP user authenticate sequence:
1) User "JOE" login with password "JOE2010".
2) Check the local user account to see if there is a account called "JOE".
2-1) if it exists, further check the local password. If password is correct, your login is successful. Otherwise, login has failed.
2-2) if the account does not exist, do LDAP authentication.
2-2-1) After completing the LDAP authentication, check if "JOE" has been mapped to a local user.
2-2-1-1) If "JOE" is mapped to a local user named "Local_JOE", then it will get all the attributes of "Local_JOE".
2-2-1-2) If there is no mapping for "JOE", take the LDAP authentication "Default Home Dir" as its home directory.
2-2-2) If the LDAP authentication fails, the login fails too.
For LDAP and or windows authentication (step 2-2-1-2) is it possible to configure it so that if LDAP/AD authentication succeeds and there is no LDAP/AD to local user mapping then access is denied. Maybe some kind of mapping/check box to enforce?
Basically the concern is that because we have our WingFTP server facing the internet it then creates a security risk if the default is to allow access
if there is a matching AD account. Essentially an attacker can use the WingFTP server to ‘validate’ usernames/passwords.
http://www.wftpserver.com/help/ftpserve ... torage.htm" rel="nofollow" rel="nofollow
1) User "JOE" login with password "JOE2010".
2) Check the local user account to see if there is a account called "JOE".
2-1) if it exists, further check the local password. If password is correct, your login is successful. Otherwise, login has failed.
2-2) if the account does not exist, do LDAP authentication.
2-2-1) After completing the LDAP authentication, check if "JOE" has been mapped to a local user.
2-2-1-1) If "JOE" is mapped to a local user named "Local_JOE", then it will get all the attributes of "Local_JOE".
2-2-1-2) If there is no mapping for "JOE", take the LDAP authentication "Default Home Dir" as its home directory.
2-2-2) If the LDAP authentication fails, the login fails too.
For LDAP and or windows authentication (step 2-2-1-2) is it possible to configure it so that if LDAP/AD authentication succeeds and there is no LDAP/AD to local user mapping then access is denied. Maybe some kind of mapping/check box to enforce?
Basically the concern is that because we have our WingFTP server facing the internet it then creates a security risk if the default is to allow access
if there is a matching AD account. Essentially an attacker can use the WingFTP server to ‘validate’ usernames/passwords.
http://www.wftpserver.com/help/ftpserve ... torage.htm" rel="nofollow" rel="nofollow