On Wed, Jun 21, 2017 at 12:11 AM, <jruy...@owneriq.com> wrote: > It was recently discovered that any string allows a valid LDAP user to > authenticate to our foreman instance. > > Empty password fields get rejected, as do users who don't exist in LDAP. > User info is correct, so I'm confident that foreman is talking to LDAP. > > Has anyone seen this? An hour of googling hasn't revealed any solution. >
I have not, can you please turn on debug (with both sql and ldap queries) and post the output? also - for the future, if you believe you encountred a security related bug, please follow the process at [1] thanks, Ohad [1] https://theforeman.org/security.html#Securityprocess -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to foreman-users+unsubscr...@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at https://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscr...@googlegroups.com. To post to this group, send email to foreman-users@googlegroups.com. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
