On Wed, Jun 21, 2017 at 12:11 AM, <[email protected]> wrote: > It was recently discovered that any string allows a valid LDAP user to > authenticate to our foreman instance. > > Empty password fields get rejected, as do users who don't exist in LDAP. > User info is correct, so I'm confident that foreman is talking to LDAP. > > Has anyone seen this? An hour of googling hasn't revealed any solution. >
I have not, can you please turn on debug (with both sql and ldap queries) and post the output? also - for the future, if you believe you encountred a security related bug, please follow the process at [1] thanks, Ohad [1] https://theforeman.org/security.html#Securityprocess -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
