yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1178032] Re: ldap driver returns hashed passwords

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 05 Sep 2013 09:24:18 -0000
Reply-to: Bug 1178032 <1178032@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => havana-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1178032

Title:
  ldap driver returns hashed passwords

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  
  If I'm using the LDAP identity backend, listing group users includes the users' passwords (sha-encoded, but that probably depends on LDAP server configuration).

  Keystone shouldn't be handing out users' passwords.

  The fix is probably to just remove the password attribute. If Keystone
  is just returning all attributes, then it should be changed to only
  return the attributes that are known to be safe.

  Steps to recreate:

  1) start with devstack configured to use LDAP
  # set LDAP options in localrc
  ./stack.sh ...

  2) add the default domain since it doesn't exist by default for some
  reason.

  $ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w ldapadminpwd
  dn: cn=default,ou=Domains,dc=openstack,dc=org
  objectclass: groupOfNames
  member: cn=dummy

  3) Create a couple users

  (set environment variables so you're admin)

  $ keystone user-create --name user1 --pass user1pwd
  (example id is 1db4a4d16ba1458aae139db0f43b0904)
  $ keystone user-create --name user2 --pass user2pwd
  (example id is 4091d11924f5498c8008b655bcf94b9d)

  4) Create a group

  $ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w ldapadminpwd

  dn: ou=UserGroups,dc=openstack,dc=org
  objectclass: organizationalUnit

  dn: cn=group1,ou=UserGroups,dc=openstack,dc=org
  objectclass: groupOfNames
  member: cn=1db4a4d16ba1458aae139db0f43b0904,ou=Users,dc=openstack,dc=org
  member: cn=4091d11924f5498c8008b655bcf94b9d,ou=Users,dc=openstack,dc=org

  5) List the group members:

  $ curl -H "X-Auth-Token: admintoken"
  http://localhost:35357/v3/groups/group1/users | python -m json.tool

  {
      "links": {
          "next": null,
          "previous": null,
          "self": "http://localhost:5000/v3/groups/group1/users";
      },
      "users": [
          {
              "domain_id": "default",
              "id": "1db4a4d16ba1458aae139db0f43b0904",
              "links": {
                  "self": "http://localhost:5000/v3/users/1db4a4d16ba1458aae139db0f43b0904";
              },
              "name": "user1",
              "password": "{SSHA}eQnQSd6SS6tioL/uN4M7odr/cf2SsjbG"
          },
          {
              "domain_id": "default",
              "id": "4091d11924f5498c8008b655bcf94b9d",
              "links": {
                  "self": "http://localhost:5000/v3/users/4091d11924f5498c8008b655bcf94b9d";
              },
              "name": "user2",
              "password": "{SSHA}HDtgM7HcrlXnLM7N85htpz1kKYL2npMS"
          }
      ]
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1178032/+subscriptions