Hi,
The reverse authentication profile does not respect the allowed users/groups that I have entered. If I put a custom ldap group in the users/groups field it will allow anyone with a valid credentials to pass through regardless of whether they are in the custom group. If I remove all users and groups from the reverse authentication profile it still allows any valid credentials through!
These are the steps I did:
1. Create a new group with an ldap backend
2. Create a new reverse authentication profile with frontend "form", backend "basic". In users/groups I put in my newly created group
3. In site path routing I go into my /owa route and add the authentication profile in there
4. On an external computer I browse to https://webmail.mydomain.com/owa
5. I log in with a user in the ldap group I created earlier and I am able to login successfully
6. I log in with a user who isn't in the ldap group and I can still log in successfully!
I decided to edit the reverse authentication profile and remove my ldap group and save it. I got a warning that all users will be blocked by default as I haven't specified any groups now. I saved this. On the external computer I was still able to authenticate with the login form and reach OWA!
Why is the reverse authentication profile ignoring it's own security settings?
Cheers
Guest User!
You are not Sophos Staff.
