yahoo-eng-team team mailing list archive

[Nathan Kinder <nkinder@xxxxxxxxxx>]

Public bug reported:

Keystone currently has code that hashes LDAP user passwords when
creating and updating users (using salted SHA-1).  Keystone itself
should not be doing this hashing.  The LDAP server itself is supposed to
receive the clear text "userPassword" attribute value so it can hash it
itself.  This hashing may or may not be using salted SHA-1 depending on
the LDAP server implementation or password policy configuration.  In
addition, some LDAP server implementations may even refuse to accept
pre-hashed passwords.

The proper behavior is to just pass the clear-text password off to the
LDAP server as a part of the LDAP add or modify operation.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1308793

Title:
  Remove LDAP password hashing code

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Keystone currently has code that hashes LDAP user passwords when
  creating and updating users (using salted SHA-1).  Keystone itself
  should not be doing this hashing.  The LDAP server itself is supposed
  to receive the clear text "userPassword" attribute value so it can
  hash it itself.  This hashing may or may not be using salted SHA-1
  depending on the LDAP server implementation or password policy
  configuration.  In addition, some LDAP server implementations may even
  refuse to accept pre-hashed passwords.

  The proper behavior is to just pass the clear-text password off to the
  LDAP server as a part of the LDAP add or modify operation.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1308793/+subscriptions