yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #13665
[Bug 1308793] [NEW] Remove LDAP password hashing code
Public bug reported:
Keystone currently has code that hashes LDAP user passwords when
creating and updating users (using salted SHA-1). Keystone itself
should not be doing this hashing. The LDAP server itself is supposed to
receive the clear text "userPassword" attribute value so it can hash it
itself. This hashing may or may not be using salted SHA-1 depending on
the LDAP server implementation or password policy configuration. In
addition, some LDAP server implementations may even refuse to accept
pre-hashed passwords.
The proper behavior is to just pass the clear-text password off to the
LDAP server as a part of the LDAP add or modify operation.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1308793
Title:
Remove LDAP password hashing code
Status in OpenStack Identity (Keystone):
New
Bug description:
Keystone currently has code that hashes LDAP user passwords when
creating and updating users (using salted SHA-1). Keystone itself
should not be doing this hashing. The LDAP server itself is supposed
to receive the clear text "userPassword" attribute value so it can
hash it itself. This hashing may or may not be using salted SHA-1
depending on the LDAP server implementation or password policy
configuration. In addition, some LDAP server implementations may even
refuse to accept pre-hashed passwords.
The proper behavior is to just pass the clear-text password off to the
LDAP server as a part of the LDAP add or modify operation.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1308793/+subscriptions
Follow ups
References