[rhos-list] keystone.conf unsafe LDAP passwords
Mark McLoughlin
markmc at redhat.com
Thu Aug 30 16:38:13 UTC 2012
On Thu, 2012-08-30 at 17:32 +0100, Mark McLoughlin wrote:
> Hi Jonathan,
>
> On Tue, 2012-08-28 at 15:29 -0400, Jonathan Mills wrote:
> > In keystone.conf, if you are using the [LDAP] backend, you cannot use a
> > password with certain characters in it -- particularly $ or !
> >
> > Nor have I found a way to escape them. I've attempted putting the
> > password in single or double quotes. I've also attempted escaping the
> > character inline with a backslash ( \ ).
> >
> > I know for a fact this is a problem, because in the log, with debug
> > enabled, it says:
> >
> > "keystone.openstack.common.cfg.NoSuchOptError: no such option: foRM3"
> >
> >
> > The characters foRM3 are four characters following a ! char in the
> > password I'm using.
>
> Hmm, that's pretty interesting.
>
> This is exactly the behaviour I'd expect with $, e.g. if you had
>
> [DEFAULT]
> password = foo$foRM3
>
> I'd expect to see the "NoSuchOptError", but you can escape the $ with
> another $:
>
> [DEFAULT]
> password = foo$$foRM3
>
> I don't expect this behaviour with !, though, and can't reproduce it
> here. Are you sure you're seeing it with ! too?
>
> Thanks,
> Mark.
>
> P.S. - for reference, we're using string.Template.safe_substitute():
>
> http://docs.python.org/library/string.html#template-strings
> http://www.python.org/dev/peps/pep-0292
I've filed this upstream docs bug:
https://bugs.launchpad.net/openstack-manuals/+bug/1043935
Cheers,
Mark.
More information about the rhos-list
mailing list