Remove LDAP password hashing code

Bug #1308793 reported by Nathan Kinder on 2014-04-16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Nathan Kinder

Bug Description

Keystone currently has code that hashes LDAP user passwords when creating and updating users (using salted SHA-1). Keystone itself should not be doing this hashing. The LDAP server itself is supposed to receive the clear text "userPassword" attribute value so it can hash it itself. This hashing may or may not be using salted SHA-1 depending on the LDAP server implementation or password policy configuration. In addition, some LDAP server implementations may even refuse to accept pre-hashed passwords.

The proper behavior is to just pass the clear-text password off to the LDAP server as a part of the LDAP add or modify operation.

Nathan Kinder (nkinder) on 2014-04-16
Changed in keystone:
assignee: nobody → Nathan Kinder (nkinder)
status: New → In Progress

Submitter: Jenkins
Branch: master

commit c94d19b486a54eb889585ce03aac58d644a9599c
Author: Nathan Kinder <email address hidden>
Date: Wed Apr 16 16:21:25 2014 -0700

    Remove LDAP password hashing code

    Keystone should not be hashing passwords for LDAP users
    itself. Password hashing should be performed by the LDAP
    server, as password policies may not allow pre-hashed
    passwords to be set (they may enforce a scheme that is
    stronger that salted SHA-1).

    This removes the LDAP password hashing code. When using
    fakeldap for running unit tests, passwords will not be
    hashed. For this reason, the hashing tests are skipped
    for LDAP backends.

    Closes-bug: 1308793
    Change-Id: Ia0998b7fd8fb5d01b86a947d18b7e79fcffd1228

Changed in keystone:
status: In Progress → Fix Committed
Dolph Mathews (dolph) on 2014-05-06
Changed in keystone:
importance: Undecided → Medium
Thierry Carrez (ttx) on 2014-06-11
Changed in keystone:
milestone: none → juno-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-10-16
Changed in keystone:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers