Skip to content
Permalink
Browse files

[debops.owncloud] Limit LDAP password characters

This patch specifies what characters can be used in the Nextcloud LDAP
password string. This should fix an error where a password with '-' at
the beginning is interpreted as the 'occ' script option.
  • Loading branch information...
drybjed committed Oct 5, 2019
1 parent 20cc7ba commit 5b66de28a109abd6db1fd9ab4b4813d1af96fb36
Showing with 2 additions and 1 deletion.
  1. +2 −1 ansible/roles/debops.owncloud/defaults/main.yml
@@ -1246,7 +1246,8 @@ owncloud__ldap_binddn: '{{ ([ owncloud__ldap_self_rdn ] + owncloud__ldap_device_
# The password stored in the account LDAP object used by the Nextcloud service
# to bind to the LDAP directory.
owncloud__ldap_bindpw: '{{ lookup("password", secret + "/ldap/credentials/"
+ owncloud__ldap_binddn | to_uuid + ".password length=32") }}'
+ owncloud__ldap_binddn | to_uuid + ".password length=32 "
+ "chars=alpha,digits,!@_#$%^&*") }}'

This comment has been minimized.

Copy link
@reixd

reixd Oct 5, 2019

Contributor

Looking at the special chars: if some of this chars are interpreted by the shell, it could cause havoc. I think the only safe chars are @,_,%. This of course diminish the security of the password. Nevertheless a length of >=32 chars should suffice for now.


# ]]]
# .. envvar:: owncloud__ldap_uri [[[

0 comments on commit 5b66de2

Please sign in to comment.
You can’t perform that action at this time.