[Openstack-security] [Bug 1178032] Re: ldap driver returns hashed passwords
OpenStack Hudson
1178032 at bugs.launchpad.net
Thu Aug 1 19:03:23 UTC 2013
Reviewed: https://review.openstack.org/39406
Committed: http://github.com/openstack/keystone/commit/cda7d1637c7276902ab8dc789590166347f742b3
Submitter: Jenkins
Branch: master
commit cda7d1637c7276902ab8dc789590166347f742b3
Author: Adam Young <ayoung at redhat.com>
Date: Tue Jul 30 23:07:41 2013 -0400
Remove passwords from LDAP queries
Bug 1178032
Change-Id: Idca895b1d4d2e611fe834f49b436864a73f4006c
** Changed in: keystone
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1178032
Title:
ldap driver returns hashed passwords
Status in OpenStack Identity (Keystone):
Fix Committed
Bug description:
If I'm using the LDAP identity backend, listing group users includes the users' passwords (sha-encoded, but that probably depends on LDAP server configuration).
Keystone shouldn't be handing out users' passwords.
The fix is probably to just remove the password attribute. If Keystone
is just returning all attributes, then it should be changed to only
return the attributes that are known to be safe.
Steps to recreate:
1) start with devstack configured to use LDAP
# set LDAP options in localrc
./stack.sh ...
2) add the default domain since it doesn't exist by default for some
reason.
$ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w ldapadminpwd
dn: cn=default,ou=Domains,dc=openstack,dc=org
objectclass: groupOfNames
member: cn=dummy
3) Create a couple users
(set environment variables so you're admin)
$ keystone user-create --name user1 --pass user1pwd
(example id is 1db4a4d16ba1458aae139db0f43b0904)
$ keystone user-create --name user2 --pass user2pwd
(example id is 4091d11924f5498c8008b655bcf94b9d)
4) Create a group
$ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w ldapadminpwd
dn: ou=UserGroups,dc=openstack,dc=org
objectclass: organizationalUnit
dn: cn=group1,ou=UserGroups,dc=openstack,dc=org
objectclass: groupOfNames
member: cn=1db4a4d16ba1458aae139db0f43b0904,ou=Users,dc=openstack,dc=org
member: cn=4091d11924f5498c8008b655bcf94b9d,ou=Users,dc=openstack,dc=org
5) List the group members:
$ curl -H "X-Auth-Token: admintoken"
http://localhost:35357/v3/groups/group1/users | python -m json.tool
{
"links": {
"next": null,
"previous": null,
"self": "http://localhost:5000/v3/groups/group1/users"
},
"users": [
{
"domain_id": "default",
"id": "1db4a4d16ba1458aae139db0f43b0904",
"links": {
"self": "http://localhost:5000/v3/users/1db4a4d16ba1458aae139db0f43b0904"
},
"name": "user1",
"password": "{SSHA}eQnQSd6SS6tioL/uN4M7odr/cf2SsjbG"
},
{
"domain_id": "default",
"id": "4091d11924f5498c8008b655bcf94b9d",
"links": {
"self": "http://localhost:5000/v3/users/4091d11924f5498c8008b655bcf94b9d"
},
"name": "user2",
"password": "{SSHA}HDtgM7HcrlXnLM7N85htpz1kKYL2npMS"
}
]
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1178032/+subscriptions
More information about the Openstack-security
mailing list