[rhos-list] keystone.conf unsafe LDAP passwords
Jonathan Mills
jonmills at renci.org
Thu Aug 30 16:50:13 UTC 2012
It is entirely possible I'm mistaken about the ! char. My testing was in a hurry. I do confirm the problem with the $ char.
Expecting users to know to escape a $ with another $ is probably not reasonable, so I'm glad a bug is being filed.
Thanks!
On Aug 30, 2012, at 12:32 PM, "Mark McLoughlin" <markmc at redhat.com> wrote:
> Hi Jonathan,
>
> On Tue, 2012-08-28 at 15:29 -0400, Jonathan Mills wrote:
>> In keystone.conf, if you are using the [LDAP] backend, you cannot use a
>> password with certain characters in it -- particularly $ or !
>>
>> Nor have I found a way to escape them. I've attempted putting the
>> password in single or double quotes. I've also attempted escaping the
>> character inline with a backslash ( \ ).
>>
>> I know for a fact this is a problem, because in the log, with debug
>> enabled, it says:
>>
>> "keystone.openstack.common.cfg.NoSuchOptError: no such option: foRM3"
>>
>>
>> The characters foRM3 are four characters following a ! char in the
>> password I'm using.
>
> Hmm, that's pretty interesting.
>
> This is exactly the behaviour I'd expect with $, e.g. if you had
>
> [DEFAULT]
> password = foo$foRM3
>
> I'd expect to see the "NoSuchOptError", but you can escape the $ with
> another $:
>
> [DEFAULT]
> password = foo$$foRM3
>
> I don't expect this behaviour with !, though, and can't reproduce it
> here. Are you sure you're seeing it with ! too?
>
> Thanks,
> Mark.
>
> P.S. - for reference, we're using string.Template.safe_substitute():
>
> http://docs.python.org/library/string.html#template-strings
> http://www.python.org/dev/peps/pep-0292
>
>
More information about the rhos-list
mailing list