# HG changeset patch # User David Douard # Date 1359040231 -3600 # Node ID 2bb3021f4ffe3ac8f1af766ad21ee286e215e63b # Parent cf4dacc809768acd1875bffd840daacc3cac7244 [ldap auth] make sure imported passwords from LDAP are encrypted (closes #2583994) When a user is imported from an LDAP source (in ldapfeed or when converting a user from an ldapsource to system one), we may import a clear-text password, which we do not want to do in our system database. diff -r cf4dacc80976 -r 2bb3021f4ffe server/ldaputils.py --- a/server/ldaputils.py Tue Dec 18 12:25:08 2012 +0100 +++ b/server/ldaputils.py Thu Jan 24 16:10:31 2013 +0100 @@ -38,6 +38,7 @@ from ldapurl import LDAPUrl from cubicweb import ValidationError, AuthenticationError, Binary +from cubicweb.server import utils from cubicweb.server.sources import ConnectionWrapper _ = unicode @@ -334,7 +335,11 @@ itemdict = {'dn': dn} for key, value in iterator: if self.user_attrs.get(key) == 'upassword': # XXx better password detection - itemdict[key] = Binary(value[0].encode('utf-8')) + value = value[0].encode('utf-8') + # we only support ldap_salted_sha1 for ldap sources, see: server/utils.py + if not value.startswith('{SSHA}'): + value = utils.crypt_password(value) + itemdict[key] = Binary(value) else: for i, val in enumerate(value): value[i] = unicode(val, 'utf-8', 'replace') diff -r cf4dacc80976 -r 2bb3021f4ffe server/test/data/ldap_test.ldif --- a/server/test/data/ldap_test.ldif Tue Dec 18 12:25:08 2012 +0100 +++ b/server/test/data/ldap_test.ldif Thu Jan 24 16:10:31 2013 +0100 @@ -31,7 +31,7 @@ gecos: Sylvain Thenault mail: sylvain.thenault@logilab.fr mail: syt@logilab.fr -userPassword: {SSHA}v/8xJQP3uoaTBZz1T7Y0B3qOxRN1cj7D +userPassword: syt dn: uid=adim,ou=People,dc=cubicweb,dc=test loginShell: /bin/bash @@ -53,5 +53,5 @@ gecos: Adrien Di Mascio mail: adim@logilab.fr mail: adrien.dimascio@logilab.fr -userPassword: {SSHA}cPQOWqkkLDlfWFwxcl1m8V2JdySQBHfS +userPassword: adim diff -r cf4dacc80976 -r 2bb3021f4ffe server/test/unittest_ldapuser.py --- a/server/test/unittest_ldapuser.py Tue Dec 18 12:25:08 2012 +0100 +++ b/server/test/unittest_ldapuser.py Thu Jan 24 16:10:31 2013 +0100 @@ -259,10 +259,6 @@ source.pull_data(self.session) rset = self.sexecute('CWUser X WHERE X login %(login)s', {'login': 'syt'}) self.assertEqual(len(rset), 1) - # test some password has been set - cu = self.session.system_sql('SELECT cw_upassword FROM cw_CWUser WHERE cw_eid=%s' % rset[0][0]) - value = str(cu.fetchall()[0][0]) - self.assertEqual(value, '{SSHA}v/8xJQP3uoaTBZz1T7Y0B3qOxRN1cj7D') self.assertTrue(self.repo.system_source.authenticate( self.session, 'syt', password='syt'))