all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [PATCH access-control] fix #7144: auth: ldap: force utf-8 encoding for bind credentials
@ 2026-07-09 13:50 Elias Huhsovitz
  2026-07-09 14:32 ` Elias Huhsovitz
  0 siblings, 1 reply; 4+ messages in thread
From: Elias Huhsovitz @ 2026-07-09 13:50 UTC (permalink / raw)
  To: pve-user; +Cc: Elias Huhsovitz

When saving the LDAP/AD bind password to /etc/pve/priv/realm/<realm>.pw,
the file was written using the default byte encoding. This caused
passwords containing non-ASCII characters (e.g., '£' or '§') to be
truncated to their lowest byte, resulting in authentication failures
during subsequent sync operations.

Pass the 'force_utf8' flag to file_set_contents to ensure the password
is encoded as UTF-8 before being written to disk.

Signed-off-by: Elias Huhsovitz <e.huhsovitz@proxmox.com>
---
 src/PVE/Auth/LDAP.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index 6a73ee8..21ee047 100755
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -438,7 +438,7 @@ sub ldap_set_credentials {
     my $cred_file = ldap_cred_file_name($realmid);
     mkdir $ldap_pw_dir;
 
-    PVE::Tools::file_set_contents($cred_file, $password);
+    PVE::Tools::file_set_contents($cred_file, $password, 0600, 1);
 
     return $cred_file;
 }
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH access-control] fix #7144: auth: ldap: force utf-8 encoding for bind credentials
@ 2026-07-09 14:00 Elias Huhsovitz
  2026-07-09 14:18 ` Shannon Sterz
  0 siblings, 1 reply; 4+ messages in thread
From: Elias Huhsovitz @ 2026-07-09 14:00 UTC (permalink / raw)
  To: pve-devel; +Cc: Elias Huhsovitz

When saving the LDAP/AD bind password to /etc/pve/priv/realm/<realm>.pw,
the file was written using the default byte encoding. This caused
passwords containing non-ASCII characters (e.g., '£' or '§') to be
truncated to their lowest byte, resulting in authentication failures
during subsequent sync operations.

Pass the 'force_utf8' flag to file_set_contents to ensure the password
is encoded as UTF-8 before being written to disk.

Signed-off-by: Elias Huhsovitz <e.huhsovitz@proxmox.com>
---
 src/PVE/Auth/LDAP.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index 6a73ee8..21ee047 100755
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -438,7 +438,7 @@ sub ldap_set_credentials {
     my $cred_file = ldap_cred_file_name($realmid);
     mkdir $ldap_pw_dir;
 
-    PVE::Tools::file_set_contents($cred_file, $password);
+    PVE::Tools::file_set_contents($cred_file, $password, 0600, 1);
 
     return $cred_file;
 }
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH access-control] fix #7144: auth: ldap: force utf-8 encoding for bind credentials
  2026-07-09 14:00 Elias Huhsovitz
@ 2026-07-09 14:18 ` Shannon Sterz
  0 siblings, 0 replies; 4+ messages in thread
From: Shannon Sterz @ 2026-07-09 14:18 UTC (permalink / raw)
  To: Elias Huhsovitz, pve-devel

On Thu Jul 9, 2026 at 4:00 PM CEST, Elias Huhsovitz wrote:
> When saving the LDAP/AD bind password to /etc/pve/priv/realm/<realm>.pw,
> the file was written using the default byte encoding. This caused
> passwords containing non-ASCII characters (e.g., '£' or '§') to be
> truncated to their lowest byte, resulting in authentication failures
> during subsequent sync operations.
>
> Pass the 'force_utf8' flag to file_set_contents to ensure the password
> is encoded as UTF-8 before being written to disk.
>
> Signed-off-by: Elias Huhsovitz <e.huhsovitz@proxmox.com>
> ---
>  src/PVE/Auth/LDAP.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
> index 6a73ee8..21ee047 100755
> --- a/src/PVE/Auth/LDAP.pm
> +++ b/src/PVE/Auth/LDAP.pm
> @@ -438,7 +438,7 @@ sub ldap_set_credentials {
>      my $cred_file = ldap_cred_file_name($realmid);
>      mkdir $ldap_pw_dir;
>
> -    PVE::Tools::file_set_contents($cred_file, $password);
> +    PVE::Tools::file_set_contents($cred_file, $password, 0600, 1);

nit: this also sets the previously unspecified permissions. while this
has no impact in reality because they match the permissions that were
assigned previously already, you should document that in the commit
message. if you don't want to explicitly set the perissions pass `undef`
instead of `0600`.

>
>      return $cred_file;
>  }





^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH access-control] fix #7144: auth: ldap: force utf-8 encoding for bind credentials
  2026-07-09 13:50 [PATCH access-control] fix #7144: auth: ldap: force utf-8 encoding for bind credentials Elias Huhsovitz
@ 2026-07-09 14:32 ` Elias Huhsovitz
  0 siblings, 0 replies; 4+ messages in thread
From: Elias Huhsovitz @ 2026-07-09 14:32 UTC (permalink / raw)
  To: e.huhsovitz; +Cc: pve-user

Please disregard my previous email. I accidentally sent this patch to 
the user mailing list instead of the developer mailing list (pve-devel).

Sorry for the noise!

Best regards,
Elias Huhsovitz




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-07-09 14:32 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-09 13:50 [PATCH access-control] fix #7144: auth: ldap: force utf-8 encoding for bind credentials Elias Huhsovitz
2026-07-09 14:32 ` Elias Huhsovitz
  -- strict thread matches above, loose matches on Subject: below --
2026-07-09 14:00 Elias Huhsovitz
2026-07-09 14:18 ` Shannon Sterz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal