← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1528676] Re: OpenLDAP password policy not enforced for password changes

 

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1528676

Title:
  OpenLDAP password policy not enforced for password changes

Status in OpenStack Identity (keystone):
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  Hello there,
  I'm on Ubuntu 14.04.3, Openstack Juno and OpenLDAP v2.4.31 releases.
  I configured OpenLDAP as an identity backend for Keystone and configured it according to official documentation from:
  http://docs.openstack.org/developer/keystone/configuration.html
  I'd like my users to be able to change their own passwords, but at the same time OpenLDAP password policy to be enforced upon password changes. I've set to true all allow_creates, allow_updates and allow_deletes not to be restricted in any way by keystone.
  The problem is the following: RootDN account is used for binding when the user is changing his/her password. OpenLDAP password policy is not enforced when RootDN performs the password change. As a result, no password policy is enforced during password change.
  If I don't set LDAP user/password in keystone.conf, then users cannot change their own passwords at all.
  Please recommend how I can allow the users to change their own passwords and at the same time enforce OpenLDAP password policy.
  Thank you,
  Nodir

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1528676/+subscriptions