[Openstack-security] [Bug 1178032] Re: ldap driver returns hashed passwords
OpenStack Hudson
1178032 at bugs.launchpad.net
Wed Jul 31 03:08:17 UTC 2013
Fix proposed to branch: master
Review: https://review.openstack.org/39406
** Changed in: keystone
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1178032
Title:
ldap driver returns hashed passwords
Status in OpenStack Identity (Keystone):
In Progress
Bug description:
If I'm using the LDAP identity backend, listing group users includes the users' passwords (sha-encoded, but that probably depends on LDAP server configuration).
Keystone shouldn't be handing out users' passwords.
The fix is probably to just remove the password attribute. If Keystone
is just returning all attributes, then it should be changed to only
return the attributes that are known to be safe.
Steps to recreate:
1) start with devstack configured to use LDAP
# set LDAP options in localrc
./stack.sh ...
2) add the default domain since it doesn't exist by default for some
reason.
$ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w ldapadminpwd
dn: cn=default,ou=Domains,dc=openstack,dc=org
objectclass: groupOfNames
member: cn=dummy
3) Create a couple users
(set environment variables so you're admin)
$ keystone user-create --name user1 --pass user1pwd
(example id is 1db4a4d16ba1458aae139db0f43b0904)
$ keystone user-create --name user2 --pass user2pwd
(example id is 4091d11924f5498c8008b655bcf94b9d)
4) Create a group
$ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w ldapadminpwd
dn: ou=UserGroups,dc=openstack,dc=org
objectclass: organizationalUnit
dn: cn=group1,ou=UserGroups,dc=openstack,dc=org
objectclass: groupOfNames
member: cn=1db4a4d16ba1458aae139db0f43b0904,ou=Users,dc=openstack,dc=org
member: cn=4091d11924f5498c8008b655bcf94b9d,ou=Users,dc=openstack,dc=org
5) List the group members:
$ curl -H "X-Auth-Token: admintoken"
http://localhost:35357/v3/groups/group1/users | python -m json.tool
{
"links": {
"next": null,
"previous": null,
"self": "http://localhost:5000/v3/groups/group1/users"
},
"users": [
{
"domain_id": "default",
"id": "1db4a4d16ba1458aae139db0f43b0904",
"links": {
"self": "http://localhost:5000/v3/users/1db4a4d16ba1458aae139db0f43b0904"
},
"name": "user1",
"password": "{SSHA}eQnQSd6SS6tioL/uN4M7odr/cf2SsjbG"
},
{
"domain_id": "default",
"id": "4091d11924f5498c8008b655bcf94b9d",
"links": {
"self": "http://localhost:5000/v3/users/4091d11924f5498c8008b655bcf94b9d"
},
"name": "user2",
"password": "{SSHA}HDtgM7HcrlXnLM7N85htpz1kKYL2npMS"
}
]
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1178032/+subscriptions
More information about the Openstack-security
mailing list