[ldap][security] not encrypted ldap passwords in puppet log

Bug #1658655 reported by Ruslan Khozinov on 2017-01-23
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel Plugins
Undecided
Nikita Karpin
Fuel for OpenStack
High
Nikita Karpin
Mitaka
High
Nikita Karpin

Bug Description

ldap 3.3.0.0

http://mirror.fuel-infra.org/mos-plugins/centos/9.1/ldap-3.0-3.0.0-1.noarch.rpm

2017-01-20 10:44:20 +0000 /Stage[main]/Plugin_ldap::Controller/Plugin_ldap::Multiple_domain[domain=openldap2
    url=ldap://176.74.221.81
    suffix=dc=openldap2,dc=tld
    user=cn=admin,dc=openldap2,dc=tld
    password=1111
    query_scope=sub
    user_tree_dn=dc=openldap2,dc=tld
    user_objectclass=inetOrgPerson
    user_id_attribute=cn
    user_name_attribute=sn
    user_pass_attribute=userPassword
    user_enabled_attribute=enabled
    user_allow_create=False
    user_allow_update=False
    user_allow_delete=False
    user_filter=
    group_tree_dn=dc=openldap2,dc=tld
    group_objectclass=groupOfNames
    group_id_attribute=cn
    group_name_attribute=cn
    group_desc_attribute=description
    group_member_attribute=member
    group_allow_create=False
    group_allow_update=False
    group_allow_delete=False
    group_filter=
    ldap_proxy=false
    use_tls=False
    domain=AD2
    url=ldap://176.74.221.85
    user=cn=admin,cn=Users,dc=keystone2,dc=tld
    group_id_attribute=cn
    group_objectclass=group
    user_objectclass=person
    user_name_attribute=cn
    password=qwerty123!
    user_allow_delete=False
    group_allow_create=False
    user_tree_dn=dc=keystone2,dc=tld
    user_pass_attribute=userPassword
    user_enabled_attribute=enabled
    user_allow_create=False
    user_allow_update=False
    group_tree_dn=dc=keystone2,dc=tld
    group_desc_attribute=description
    user_filter=
    group_allow_update=False
    group_filter=
    suffix=dc=keystone2,dc=tld
    group_member_attribute=member
    group_allow_delete=False
    use_tls=False
    query_scope=sub
    group_name_attribute=cn
    user_id_attribute=cn
    ldap_proxy=false]/Plugin_ldap::Keystone[{"domain"=>"openldap2", " url"=>"ldap://176.74.221.85", " suffix"=>"dc=keystone2,dc=tld", " user"=>"cn=admin,cn=Users,dc=keystone2,dc=tld", " password"=>"qwerty123!", " query_scope"=>"sub", " user_tree_dn"=>"dc=keystone2,dc=tld", " user_objectclass"=>"person", " user_id_attribute"=>"cn", " user_name_attribute"=>"cn", " user_pass_attribute"=>"userPassword", " user_enabled_attribute"=>"enabled", " user_allow_create"=>"False", " user_allow_update"=>"False", " user_allow_delete"=>"False", " user_filter"=>"", " group_tree_dn"=>"dc=keystone2,dc=tld", " group_objectclass"=>"group", " group_id_attribute"=>"cn", " group_name_attribute"=>"cn", " group_desc_attribute"=>"description", " group_member_attribute"=>"member", " group_allow_create"=>"False", " group_allow_update"=>"False", " group_allow_delete"=>"False", " group_filter"=>"", " ldap_proxy"=>"false", " use_tls"=>"False", " domain"=>"AD2"}['domain']]/Keystone_config[openldap2/identity/driver]/ensure (notice): created
2017-01-20 10:44:20 +0000

Changed in fuel:
milestone: none → 9.2
Changed in fuel-plugins:
milestone: none → 9.0
summary: - [ldap] not encrypted password in puppet log
+ [ldap] not encrypted ldap password in puppet log
summary: - [ldap] not encrypted ldap password in puppet log
+ [ldap] not encrypted ldap passwords in puppet log
summary: - [ldap] not encrypted ldap passwords in puppet log
+ [ldap][security] not encrypted ldap passwords in puppet log
Nikita Karpin (mkarpin) on 2017-01-23
description: updated
Nikita Karpin (mkarpin) on 2017-01-23
Changed in fuel-plugins:
assignee: nobody → Nikita Karpin (mkarpin)
Changed in fuel:
assignee: nobody → Nikita Karpin (mkarpin)
Changed in fuel:
importance: Undecided → High
status: New → Confirmed

Fix proposed to branch: master
Review: https://review.openstack.org/425801

Changed in fuel-plugins:
status: New → In Progress
Nikita Karpin (mkarpin) on 2017-02-01
Changed in fuel:
status: Confirmed → In Progress
Roman Vyalov (r0mikiam) on 2017-02-03
Changed in fuel:
status: In Progress → Won't Fix

Reviewed: https://review.openstack.org/425801
Committed: https://git.openstack.org/cgit/openstack/fuel-plugin-ldap/commit/?id=7cf2e0f36ee174796f15d6e0cbcbfdaef55d4fe3
Submitter: Jenkins
Branch: master

commit 7cf2e0f36ee174796f15d6e0cbcbfdaef55d4fe3
Author: Mykyta Karpin <email address hidden>
Date: Thu Jan 26 19:27:27 2017 +0200

    Rewrite additional domains generation

    This patch makes use of Puppet native function
    create_resources() in order to generate
    Keystone domain resources from hash
    provided by parce_it() function.

    This approach required modification of parce_it()
    function so it can parse list of additional domains strings
    and generate a hash in form of:

    domain1_name => { property1 => value1,
                      property2 => value2,
                      .....
                      propertyx => valuex },
    domain2_name => { property1 => value1,
                      property2 => value2,
                      .....
                      propertyx => valuex },
    .....and so on

    This form of hash is suitable to be taken by create_resources()
    function. Puppet define plugin_ldap::multiple_domain
    was also modified to comply with create_resources()
    function.

    Change-Id: I14321af5efa18f1381a51668ed1c5c50c06a0002
    Closes-Bug: #1658655

Changed in fuel-plugins:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers