yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1308793] Re: Remove LDAP password hashing code

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 11 Jun 2014 15:00:41 -0000
Reply-to: Bug 1308793 <1308793@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => juno-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1308793

Title:
  Remove LDAP password hashing code

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  Keystone currently has code that hashes LDAP user passwords when
  creating and updating users (using salted SHA-1).  Keystone itself
  should not be doing this hashing.  The LDAP server itself is supposed
  to receive the clear text "userPassword" attribute value so it can
  hash it itself.  This hashing may or may not be using salted SHA-1
  depending on the LDAP server implementation or password policy
  configuration.  In addition, some LDAP server implementations may even
  refuse to accept pre-hashed passwords.

  The proper behavior is to just pass the clear-text password off to the
  LDAP server as a part of the LDAP add or modify operation.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1308793/+subscriptions

References

[Bug 1308793] [NEW] Remove LDAP password hashing code
From: Nathan Kinder, 2014-04-16