It was recently discovered that any string allows a valid LDAP user to
authenticate to our foreman instance.
Empty password fields get rejected, as do users who don't exist in LDAP.
User info is correct, so I'm confident that foreman is talking to LDAP.
Has anyone seen this? An hour of googling hasn't revealed any solution.
I have not, can you please turn on debug (with both sql and ldap queries)
and post the output?
also - for the future, if you believe you encountred a security related
bug, please follow the process at [1]
thanks,
Ohad
It was recently discovered that any string allows a valid LDAP user to
authenticate to our foreman instance.Empty password fields get rejected, as do users who don’t exist in LDAP.
User info is correct, so I’m confident that foreman is talking to LDAP.Has anyone seen this? An hour of googling hasn’t revealed any solution.
–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
Good to know thanks.
Logging is pretty loud with debug, LDAP and SQL turned on. I was able to
find this in the sql logs:
2017-06-22 15:23:20 407057e9 [sql] [D] User Load (0.4ms) SELECT
users.* FROM users WHERE users.lower_login = 'jruybal' LIMIT 1
2017-06-22 15:23:20 407057e9 [sql] [D] AuthSource Load (0.4ms) SELECT
auth_sources.* FROM auth_sources WHERE auth_sources.id = 3 LIMIT 1
2017-06-22 15:23:20 407057e9 [sql] [D] LDAP auth with user jruybal against
LDAP-freeipa
2017-06-22 15:23:20 407057e9 [sql] [D] Retrieved LDAP Attributes for
jruybal: {:dn=>"uid=jruybal,cn=users,cn=accounts,dc=owneriq,dc=com"}
2017-06-22 15:23:20 407057e9 [sql] [D] Authenticated user jruybal against
LDAP-freeipa authentication source
2017-06-22 15:23:20 407057e9 [sql] [D] User Load (0.5ms) SELECT
users.* FROM users WHERE users.lower_login = 'foreman_admin' LIMIT
1
2017-06-22 15:23:20 407057e9 [sql] [D] Updating user jruybal attributes
from auth source: [:dn]
2017-06-22 15:23:20 407057e9 [sql] [D] (0.3ms) BEGIN
2017-06-22 15:23:20 407057e9 [sql] [D] (0.4ms) SELECT COUNT() FROM
auth_sources WHERE auth_sources.type IN ('AuthSourceHidden') AND
auth_sources.id = 3
2017-06-22 15:23:20 407057e9 [sql] [D] User Exists (0.4ms) SELECT 1 AS
one FROM users WHERE (users.login = 'jruybal' AND users.id != 10)
LIMIT 1
2017-06-22 15:23:20 407057e9 [sql] [D] Usergroup Load (0.4ms) SELECT
usergroups. FROM usergroups WHERE usergroups.name = 'jruybal'
ORDER BY usergroups.name
2017-06-22 15:23:20 407057e9 [sql] [D] Role Load (0.4ms) SELECT
roles.* FROM roles WHERE roles.builtin = 2 LIMIT 1
2017-06-22 15:23:20 407057e9 [sql] [D] Role Exists (0.5ms) SELECT 1 AS
one FROM roles INNER JOIN user_roles ON roles.id =
user_roles.role_id WHERE user_roles.owner_id = 10 AND
user_roles.owner_type = 'User' AND roles.id = 13 LIMIT 1
2017-06-22 15:23:20 407057e9 [sql] [D] (0.3ms) COMMIT
2017-06-22 15:23:20 407057e9 [sql] [D] Updating user groups for user jruybal
2017-06-22 15:23:20 407057e9 [sql] [D] User Load (0.4ms) SELECT
users.* FROM users WHERE users.lower_login = 'jruybal' ORDER BY
firstname LIMIT 1
LDAP logs are almost silent. It's worth noting that since starting this
email chain I've tried adding External Authentication with IPA.