From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [45.144.208.40]) by lore.proxmox.com (Postfix) with ESMTPS id 0F8A81FF0E0 for ; Thu, 09 Jul 2026 16:18:29 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id 859C22147D; Thu, 09 Jul 2026 16:18:28 +0200 (CEST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Thu, 09 Jul 2026 16:18:25 +0200 Message-Id: Subject: Re: [PATCH access-control] fix #7144: auth: ldap: force utf-8 encoding for bind credentials To: "Elias Huhsovitz" , X-Mailer: aerc 0.20.0 References: <20260709140007.163539-1-e.huhsovitz@proxmox.com> In-Reply-To: <20260709140007.163539-1-e.huhsovitz@proxmox.com> From: "Shannon Sterz" X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1783606695562 X-SPAM-LEVEL: Spam detection results: 0 DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: NJLIUF5WMV6YIWXZ6DE4XENJ7GAGXH2Z X-Message-ID-Hash: NJLIUF5WMV6YIWXZ6DE4XENJ7GAGXH2Z X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Thu Jul 9, 2026 at 4:00 PM CEST, Elias Huhsovitz wrote: > When saving the LDAP/AD bind password to /etc/pve/priv/realm/.pw, > the file was written using the default byte encoding. This caused > passwords containing non-ASCII characters (e.g., '=C2=A3' or '=C2=A7') to= be > truncated to their lowest byte, resulting in authentication failures > during subsequent sync operations. > > Pass the 'force_utf8' flag to file_set_contents to ensure the password > is encoded as UTF-8 before being written to disk. > > Signed-off-by: Elias Huhsovitz > --- > src/PVE/Auth/LDAP.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm > index 6a73ee8..21ee047 100755 > --- a/src/PVE/Auth/LDAP.pm > +++ b/src/PVE/Auth/LDAP.pm > @@ -438,7 +438,7 @@ sub ldap_set_credentials { > my $cred_file =3D ldap_cred_file_name($realmid); > mkdir $ldap_pw_dir; > > - PVE::Tools::file_set_contents($cred_file, $password); > + PVE::Tools::file_set_contents($cred_file, $password, 0600, 1); nit: this also sets the previously unspecified permissions. while this has no impact in reality because they match the permissions that were assigned previously already, you should document that in the commit message. if you don't want to explicitly set the perissions pass `undef` instead of `0600`. > > return $cred_file; > }