Public bug reported:
Validation is required for the fields - user_tree_dn( User Tree
Distinguished Name), group_tree_dn(Group Tree Distinguished Name ), user
(User Bind Distinguished Name) for both create and update domain config
APIs. Currently the following issues occur:
1. If the user ("user bind name") contains invalid characters, then connection
to the LDAP server for any of the operations fails.
2. If the user_tree_dn contains invalid characters, then any operation on users
for the LDAP server fails. eg. list all users
3. If the group_tree_dn contains invalid characters, then any operation on
groups for the LDAP server fails. eg. list all groups
We believe that there should be a check on these 3 attribute values for invalid
characters for the following APIs:
1. Create Domain config
({{url}}/v3/domains/02ce011944aa4021b576c01e3c423d9f/config, PUT)
2. Update Domain config
({{url}}/v3/domains/02ce011944aa4021b576c01e3c423d9f/config, PATCH)
The current API returns success even when these attribute values contain
invalid characters from an LDAP perspective.
** Affects: keystone
Importance: Undecided
Status: New
** Summary changed:
- Create IDP with LDAP requires validation for UDN,User Bind Distinguished
Name, User Tree Distinguished Name,Group Tree Distinguished Name
+ Create/Update Domain config with LDAP requires validation for User Bind
Distinguished Name, User Tree Distinguished Name,Group Tree Distinguished Name
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1506062
Title:
Create/Update Domain config with LDAP requires validation for User
Bind Distinguished Name, User Tree Distinguished Name,Group Tree
Distinguished Name
Status in Keystone:
New
Bug description:
Validation is required for the fields - user_tree_dn( User Tree
Distinguished Name), group_tree_dn(Group Tree Distinguished Name ),
user (User Bind Distinguished Name) for both create and update domain
config APIs. Currently the following issues occur:
1. If the user ("user bind name") contains invalid characters, then
connection to the LDAP server for any of the operations fails.
2. If the user_tree_dn contains invalid characters, then any operation on
users for the LDAP server fails. eg. list all users
3. If the group_tree_dn contains invalid characters, then any operation on
groups for the LDAP server fails. eg. list all groups
We believe that there should be a check on these 3 attribute values for
invalid characters for the following APIs:
1. Create Domain config
({{url}}/v3/domains/02ce011944aa4021b576c01e3c423d9f/config, PUT)
2. Update Domain config
({{url}}/v3/domains/02ce011944aa4021b576c01e3c423d9f/config, PATCH)
The current API returns success even when these attribute values contain
invalid characters from an LDAP perspective.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1506062/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
