Mercurial Mercurial > pub > hg > cubicweb / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
[ldap auth] make sure imported passwords from LDAP are encrypted (closes #2583994) stable
authorDavid Douard <david.douard@logilab.fr>
Thu, 24 Jan 2013 16:10:31 +0100
branchstable
changeset 8680 2bb3021f4ffe
parent 8679 cf4dacc80976
child 8681 48731a0d3df8
[ldap auth] make sure imported passwords from LDAP are encrypted (closes #2583994) When a user is imported from an LDAP source (in ldapfeed or when converting a user from an ldapsource to system one), we may import a clear-text password, which we do not want to do in our system database.
server/ldaputils.py file | annotate | diff | comparison | revisions
server/test/data/ldap_test.ldif file | annotate | diff | comparison | revisions
server/test/unittest_ldapuser.py file | annotate | diff | comparison | revisions 
--- a/server/ldaputils.py	Tue Dec 18 12:25:08 2012 +0100
+++ b/server/ldaputils.py	Thu Jan 24 16:10:31 2013 +0100
@@ -38,6 +38,7 @@
 from ldapurl import LDAPUrl
 
 from cubicweb import ValidationError, AuthenticationError, Binary
+from cubicweb.server import utils
 from cubicweb.server.sources import ConnectionWrapper
 
 _ = unicode
@@ -334,7 +335,11 @@
         itemdict = {'dn': dn}
         for key, value in iterator:
             if self.user_attrs.get(key) == 'upassword': # XXx better password detection
-                itemdict[key] = Binary(value[0].encode('utf-8'))
+                value = value[0].encode('utf-8')
+                # we only support ldap_salted_sha1 for ldap sources, see: server/utils.py
+                if not value.startswith('{SSHA}'):
+                    value = utils.crypt_password(value)
+                itemdict[key] = Binary(value)
             else:
                 for i, val in enumerate(value):
                     value[i] = unicode(val, 'utf-8', 'replace')
--- a/server/test/data/ldap_test.ldif	Tue Dec 18 12:25:08 2012 +0100
+++ b/server/test/data/ldap_test.ldif	Thu Jan 24 16:10:31 2013 +0100
@@ -31,7 +31,7 @@
 gecos: Sylvain Thenault
 mail: sylvain.thenault@logilab.fr
 mail: syt@logilab.fr
-userPassword: {SSHA}v/8xJQP3uoaTBZz1T7Y0B3qOxRN1cj7D
+userPassword: syt
 
 dn: uid=adim,ou=People,dc=cubicweb,dc=test
 loginShell: /bin/bash
@@ -53,5 +53,5 @@
 gecos: Adrien Di Mascio
 mail: adim@logilab.fr
 mail: adrien.dimascio@logilab.fr
-userPassword: {SSHA}cPQOWqkkLDlfWFwxcl1m8V2JdySQBHfS
+userPassword: adim
 
--- a/server/test/unittest_ldapuser.py	Tue Dec 18 12:25:08 2012 +0100
+++ b/server/test/unittest_ldapuser.py	Thu Jan 24 16:10:31 2013 +0100
@@ -259,10 +259,6 @@
         source.pull_data(self.session)
         rset = self.sexecute('CWUser X WHERE X login %(login)s', {'login': 'syt'})
         self.assertEqual(len(rset), 1)
-        # test some password has been set
-        cu = self.session.system_sql('SELECT cw_upassword FROM cw_CWUser WHERE cw_eid=%s' % rset[0][0])
-        value = str(cu.fetchall()[0][0])
-        self.assertEqual(value, '{SSHA}v/8xJQP3uoaTBZz1T7Y0B3qOxRN1cj7D')
         self.assertTrue(self.repo.system_source.authenticate(
                 self.session, 'syt', password='syt'))
cubicweb