Remove LDAP password hashing code
Bug #1308793 reported by
Nathan Kinder
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Nathan Kinder |
Bug Description
Keystone currently has code that hashes LDAP user passwords when creating and updating users (using salted SHA-1). Keystone itself should not be doing this hashing. The LDAP server itself is supposed to receive the clear text "userPassword" attribute value so it can hash it itself. This hashing may or may not be using salted SHA-1 depending on the LDAP server implementation or password policy configuration. In addition, some LDAP server implementations may even refuse to accept pre-hashed passwords.
The proper behavior is to just pass the clear-text password off to the LDAP server as a part of the LDAP add or modify operation.
Changed in keystone: | |
assignee: | nobody → Nathan Kinder (nkinder) |
status: | New → In Progress |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in keystone: | |
milestone: | none → juno-1 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | juno-1 → 2014.2 |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/88109
Review: https:/