Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1573518 - Auth MIQLDAP - LDAP Admin password is stored in plain text in MIQ database
Summary: Auth MIQLDAP - LDAP Admin password is stored in plain text in MIQ database
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.9.0
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: GA
: 5.9.3
Assignee: Joe Vlcek
QA Contact: Matt Pusateri
URL:
Whiteboard: auth:miqldap:security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-01 15:13 UTC by Matt Pusateri
Modified: 2018-05-03 13:59 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-02 20:54:31 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:


Attachments (Terms of Use)

Description Matt Pusateri 2018-05-01 15:13:57 UTC
Description of problem:
 Auth MIQLDAP - LDAP Admin password is stored in plain text in MIQ database - 

Version-Release number of selected component (if applicable):
5.9.2.3

How reproducible:


Steps to Reproduce:
1. Configure MIQLDAP to bind with "get users from group"


Actual results:
LDAP admin bind user is stored in database in plaintext.

Expected results:
password should be hashed.

Additional info:

Comment 2 Joe Vlcek 2018-05-02 20:54:31 UTC
Matt,

When we were working togethe on a different BZ the other day and I was able
to get the unencrypted password it is because I know how to decrypt the bind_pwd
the way the code does in order to use it.


The bind_pwd is not stored in plain txt in the DB.

e.g.:

 #<SettingsChange:0x00000008472e78
  id: 5,
  resource_type: "MiqServer",
  resource_id: 1,
  key: "/authentication/bind_pwd",
  value: "v2:{EwyrWCuEtvKUkeyI6SZL2Q==}",
  created_at: Wed, 18 Apr 2018 17:07:42 UTC +00:00,
  updated_at: Wed, 18 Apr 2018 17:07:42 UTC +00:00>,

I reviewed this with Gregg T and Alberto and we all agree the bind_pwd is
not plain text. The bind_pwd is  encrypted in the DB.

Closing as NOTABUG


Note You need to log in before you can comment on or make changes to this bug.