[Openstack-security] [Bug 1168252] Re: keystone.conf should not be world-readable (to keep LDAP password and admin_token secret)

Lloyd Dewolf lloydostack at gmail.com
Sat May 11 05:23:07 UTC 2013 

For anyone else who comes along looking for the separate bug:

> Thierry Carrez (ttx) wrote on 2013-04-23:

> 2/ LDAP password config option is not marked "secret" so it MAY show in logs
> That's what the proposed fix actually fixes. I'm not sure the LDAp password is actually logged anywhere, but marking it secret 
> actually makes sure it would not show if that was the case. This should be filed as a separate bug.

It is #1172195 "admin_token and LDAP password show up in log in DEBUG
mode"

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1168252

Title:
  keystone.conf should not be world-readable (to keep LDAP password and
  admin_token secret)

Status in devstack - openstack dev environments:
  Confirmed
Status in OpenStack Security Notes:
  New
Status in “keystone” package in Gentoo Linux:
  Unknown

Bug description:
  The password configuration of LDAP and admin_token in keystone.conf
  should be secret to protect security information:

  [ldap]
  # url = ldap://localhost
  # user = dc=Manager,dc=example,dc=com
  # password = None                                            <- should be secrect
  # suffix = cn=example,cn=com
  # use_dumb_member = False
  # allow_subtree_delete = False
  # dumb_member = cn=dumb,dc=example,dc=com

  
  [DEFAULT]
  admin_token = passw0rd                                <- should be secrect

To manage notifications about this bug go to:
https://bugs.launchpad.net/devstack/+bug/1168252/+subscriptions

More information about the Openstack-security mailing list