OpenStack Identity (keystone)

Remove LDAP password hashing code

Bug #1308793 reported by Nathan Kinder
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Nathan Kinder
OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

Keystone currently has code that hashes LDAP user passwords when creating and updating users (using salted SHA-1). Keystone itself should not be doing this hashing. The LDAP server itself is supposed to receive the clear text "userPassword" attribute value so it can hash it itself. This hashing may or may not be using salted SHA-1 depending on the LDAP server implementation or password policy configuration. In addition, some LDAP server implementations may even refuse to accept pre-hashed passwords.

The proper behavior is to just pass the clear-text password off to the LDAP server as a part of the LDAP add or modify operation.

Nathan Kinder (nkinder)
Changed in keystone:
assignee: nobody → Nathan Kinder (nkinder)
status: New → In Progress
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/88109

Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/88109
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c94d19b486a54eb889585ce03aac58d644a9599c
Submitter: Jenkins
Branch: master

commit c94d19b486a54eb889585ce03aac58d644a9599c
Author: Nathan Kinder <email address hidden>
Date: Wed Apr 16 16:21:25 2014 -0700

    Remove LDAP password hashing code

    Keystone should not be hashing passwords for LDAP users
    itself. Password hashing should be performed by the LDAP
    server, as password policies may not allow pre-hashed
    passwords to be set (they may enforce a scheme that is
    stronger that salted SHA-1).

    This removes the LDAP password hashing code. When using
    fakeldap for running unit tests, passwords will not be
    hashed. For this reason, the hashing tests are skipped
    for LDAP backends.

    Closes-bug: 1308793
    Change-Id: Ia0998b7fd8fb5d01b86a947d18b7e79fcffd1228

Changed in keystone:
status: In Progress → Fix Committed
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → juno-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.