public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [PATCH access-control] fix #7144: auth: ldap: force utf-8 encoding for bind credentials
@ 2026-07-09 14:00 Elias Huhsovitz
  2026-07-09 14:18 ` Shannon Sterz
  0 siblings, 1 reply; 2+ messages in thread
From: Elias Huhsovitz @ 2026-07-09 14:00 UTC (permalink / raw)
  To: pve-devel; +Cc: Elias Huhsovitz

When saving the LDAP/AD bind password to /etc/pve/priv/realm/<realm>.pw,
the file was written using the default byte encoding. This caused
passwords containing non-ASCII characters (e.g., '£' or '§') to be
truncated to their lowest byte, resulting in authentication failures
during subsequent sync operations.

Pass the 'force_utf8' flag to file_set_contents to ensure the password
is encoded as UTF-8 before being written to disk.

Signed-off-by: Elias Huhsovitz <e.huhsovitz@proxmox.com>
---
 src/PVE/Auth/LDAP.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index 6a73ee8..21ee047 100755
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -438,7 +438,7 @@ sub ldap_set_credentials {
     my $cred_file = ldap_cred_file_name($realmid);
     mkdir $ldap_pw_dir;
 
-    PVE::Tools::file_set_contents($cred_file, $password);
+    PVE::Tools::file_set_contents($cred_file, $password, 0600, 1);
 
     return $cred_file;
 }
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH access-control] fix #7144: auth: ldap: force utf-8 encoding for bind credentials
  2026-07-09 14:00 [PATCH access-control] fix #7144: auth: ldap: force utf-8 encoding for bind credentials Elias Huhsovitz
@ 2026-07-09 14:18 ` Shannon Sterz
  0 siblings, 0 replies; 2+ messages in thread
From: Shannon Sterz @ 2026-07-09 14:18 UTC (permalink / raw)
  To: Elias Huhsovitz, pve-devel

On Thu Jul 9, 2026 at 4:00 PM CEST, Elias Huhsovitz wrote:
> When saving the LDAP/AD bind password to /etc/pve/priv/realm/<realm>.pw,
> the file was written using the default byte encoding. This caused
> passwords containing non-ASCII characters (e.g., '£' or '§') to be
> truncated to their lowest byte, resulting in authentication failures
> during subsequent sync operations.
>
> Pass the 'force_utf8' flag to file_set_contents to ensure the password
> is encoded as UTF-8 before being written to disk.
>
> Signed-off-by: Elias Huhsovitz <e.huhsovitz@proxmox.com>
> ---
>  src/PVE/Auth/LDAP.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
> index 6a73ee8..21ee047 100755
> --- a/src/PVE/Auth/LDAP.pm
> +++ b/src/PVE/Auth/LDAP.pm
> @@ -438,7 +438,7 @@ sub ldap_set_credentials {
>      my $cred_file = ldap_cred_file_name($realmid);
>      mkdir $ldap_pw_dir;
>
> -    PVE::Tools::file_set_contents($cred_file, $password);
> +    PVE::Tools::file_set_contents($cred_file, $password, 0600, 1);

nit: this also sets the previously unspecified permissions. while this
has no impact in reality because they match the permissions that were
assigned previously already, you should document that in the commit
message. if you don't want to explicitly set the perissions pass `undef`
instead of `0600`.

>
>      return $cred_file;
>  }





^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-09 14:18 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-09 14:00 [PATCH access-control] fix #7144: auth: ldap: force utf-8 encoding for bind credentials Elias Huhsovitz
2026-07-09 14:18 ` Shannon Sterz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal