Remove passwords from LDAP queries

Bug 1178032

Change-Id: Idca895b1d4d2e611fe834f49b436864a73f4006c

1 files changed, 6 insertions, 2 deletions

diff --git a/keystone/identity/backends/ldap.py b/keystone/identity/backends/ldap.py
index f9e546a9..53f7f156 100644
--- a/keystone/identity/backends/ldap.py
+++ b/keystone/identity/backends/ldap.py
@@ -77,7 +77,8 @@ class Identity(identity.Driver):
         return self.assignment_api._set_default_domain(ref)
 
     def list_users(self):
-        return self.assignment_api._set_default_domain(self.user.get_all())
+        return (self.assignment_api._set_default_domain
+                (self.user.get_all_filtered()))
 
     def get_user_by_name(self, user_name, domain_id):
         self.assignment_api._validate_default_domain_id(domain_id)
@@ -181,7 +182,7 @@ class Identity(identity.Driver):
         for user_dn in self.group.list_group_users(group_id):
             user_id = self.user._dn_to_id(user_dn)
             try:
-                users.append(self.user.get(user_id))
+                users.append(self.user.get_filtered(user_id))
             except exception.UserNotFound:
                 LOG.debug(_("Group member '%(user_dn)s' not found in"
                             " '%(group_id)s'. The user should be removed"
@@ -264,6 +265,9 @@ class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
         user = self.get(user_id)
         return identity.filter_user(user)
 
+    def get_all_filtered(self):
+        return [identity.filter_user(user) for user in self.get_all()]
+
 
 class GroupApi(common_ldap.BaseLdap):
     DEFAULT_OU = 'ou=UserGroups'