WingFTP user authenticate sequence:
1) User "JOE" login with password "JOE2010".
2) Check the local user account to see if there is a account called "JOE".
2-1) if it exists, further check the local password. If password is correct, your login is successful. Otherwise, login has failed.
2-2) if the account does not exist, do LDAP authentication.
2-2-1) After completing the LDAP authentication, check if "JOE" has been mapped to a local user.
2-2-1-1) If "JOE" is mapped to a local user named "Local_JOE", then it will get all the attributes of "Local_JOE".
2-2-1-2) If there is no mapping for "JOE", take the LDAP authentication "Default Home Dir" as its home directory.
2-2-2) If the LDAP authentication fails, the login fails too.
For LDAP and or windows authentication (step 2-2-1-2) is it possible to configure it so that if LDAP/AD authentication succeeds and there is no LDAP/AD to local user mapping then access is denied. Maybe some kind of mapping/check box to enforce?
Basically the concern is that because we have our WingFTP server facing the internet it then creates a security risk if the default is to allow access
if there is a matching AD account. Essentially an attacker can use the WingFTP server to ‘validate’ usernames/passwords.
http://www.wftpserver.com/help/ftpserve ... torage.htm" rel="nofollow" rel="nofollow
Only allow LDAP/AD Login if there is a local mapping
-
- Posts: 1
- Joined: Thu May 25, 2017 4:26 am
-
- Site Admin
- Posts: 2082
- Joined: Tue Sep 29, 2009 6:09 am
Re: Only allow LDAP/AD Login if there is a local mapping
If you handle the user login by the LDAP authentication all, then you can add the following Lua script into "Event Manager -> FTP (HTTP/SSH) Events -> OnUserLoggedIn -> Lua Script":
Code: Select all
local strDomain = "%Domain"
local strADUser = "%Name"
local strMapping = c_GetOptionStr(strDomain,DOPTION_LDAP_MAPPING_STR)
if not string.find(strMapping, "%Name"..":") then
c_KickSessionByName(strDomain, strADUser)
end