[Openstack-security] [Bug 1178032] Re: ldap driver returns hashed passwords

OpenStack Hudson 1178032 at bugs.launchpad.net
Wed Jul 31 03:08:17 UTC 2013 

Fix proposed to branch: master
Review: https://review.openstack.org/39406

** Changed in: keystone
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1178032

Title:
  ldap driver returns hashed passwords

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  
  If I'm using the LDAP identity backend, listing group users includes the users' passwords (sha-encoded, but that probably depends on LDAP server configuration).

  Keystone shouldn't be handing out users' passwords.

  The fix is probably to just remove the password attribute. If Keystone
  is just returning all attributes, then it should be changed to only
  return the attributes that are known to be safe.

  Steps to recreate:

  1) start with devstack configured to use LDAP
  # set LDAP options in localrc
  ./stack.sh ...

  2) add the default domain since it doesn't exist by default for some
  reason.

  $ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w ldapadminpwd
  dn: cn=default,ou=Domains,dc=openstack,dc=org
  objectclass: groupOfNames
  member: cn=dummy

  3) Create a couple users

  (set environment variables so you're admin)

  $ keystone user-create --name user1 --pass user1pwd
  (example id is 1db4a4d16ba1458aae139db0f43b0904)
  $ keystone user-create --name user2 --pass user2pwd
  (example id is 4091d11924f5498c8008b655bcf94b9d)

  4) Create a group

  $ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w ldapadminpwd

  dn: ou=UserGroups,dc=openstack,dc=org
  objectclass: organizationalUnit

  dn: cn=group1,ou=UserGroups,dc=openstack,dc=org
  objectclass: groupOfNames
  member: cn=1db4a4d16ba1458aae139db0f43b0904,ou=Users,dc=openstack,dc=org
  member: cn=4091d11924f5498c8008b655bcf94b9d,ou=Users,dc=openstack,dc=org

  5) List the group members:

  $ curl -H "X-Auth-Token: admintoken"
  http://localhost:35357/v3/groups/group1/users | python -m json.tool

  {
      "links": {
          "next": null,
          "previous": null,
          "self": "http://localhost:5000/v3/groups/group1/users"
      },
      "users": [
          {
              "domain_id": "default",
              "id": "1db4a4d16ba1458aae139db0f43b0904",
              "links": {
                  "self": "http://localhost:5000/v3/users/1db4a4d16ba1458aae139db0f43b0904"
              },
              "name": "user1",
              "password": "{SSHA}eQnQSd6SS6tioL/uN4M7odr/cf2SsjbG"
          },
          {
              "domain_id": "default",
              "id": "4091d11924f5498c8008b655bcf94b9d",
              "links": {
                  "self": "http://localhost:5000/v3/users/4091d11924f5498c8008b655bcf94b9d"
              },
              "name": "user2",
              "password": "{SSHA}HDtgM7HcrlXnLM7N85htpz1kKYL2npMS"
          }
      ]
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1178032/+subscriptions

More information about the Openstack-security mailing list