[rhos-list] keystone.conf unsafe LDAP passwords
Mark McLoughlin
markmc at redhat.com
Thu Aug 30 16:32:18 UTC 2012
Hi Jonathan,
On Tue, 2012-08-28 at 15:29 -0400, Jonathan Mills wrote:
> In keystone.conf, if you are using the [LDAP] backend, you cannot use a
> password with certain characters in it -- particularly $ or !
>
> Nor have I found a way to escape them. I've attempted putting the
> password in single or double quotes. I've also attempted escaping the
> character inline with a backslash ( \ ).
>
> I know for a fact this is a problem, because in the log, with debug
> enabled, it says:
>
> "keystone.openstack.common.cfg.NoSuchOptError: no such option: foRM3"
>
>
> The characters foRM3 are four characters following a ! char in the
> password I'm using.
Hmm, that's pretty interesting.
This is exactly the behaviour I'd expect with $, e.g. if you had
[DEFAULT]
password = foo$foRM3
I'd expect to see the "NoSuchOptError", but you can escape the $ with
another $:
[DEFAULT]
password = foo$$foRM3
I don't expect this behaviour with !, though, and can't reproduce it
here. Are you sure you're seeing it with ! too?
Thanks,
Mark.
P.S. - for reference, we're using string.Template.safe_substitute():
http://docs.python.org/library/string.html#template-strings
http://www.python.org/dev/peps/pep-0292
More information about the rhos-list
mailing list