Reviewed: https://review.openstack.org/407561 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f8ee249bf08cefd8468aa15c589dab48bd5c4cd8 Submitter: Jenkins Branch: master
commit f8ee249bf08cefd8468aa15c589dab48bd5c4cd8 Author: Colleen Murphy <[email protected]> Date: Tue Dec 6 15:40:02 2016 +0100 Add anonymous bind to get_connection method If no username and password is specified in the keystone ldap configuration, it may still be possible to bind to an LDAP server anonymously if the LDAP server is configured to allow it. Currently, upon creating a connection object, keystone only attempts to bind to the LDAP server if a username and password has been provided to it. This would rarely be an issue because pyldap attempts a reconnect upon executing any ldap command, if necessary, and hence the anonymous bind just happens later. It is a problem now because logic was added[1] to check if the server errored during that initial connection, and for it to work correctly the initial connection needs to happen in a predictable place. This patch adds an anonymous bind to the get_connection method so that no matter the credential configuration the initial connection is consistent. This required adding mocks to many of the LDAP backend tests since every LDAP interaction now attempts a simple_bind_s() regardless of whether credentials are configured in keystone. [1] https://review.openstack.org/#/c/390948 Closes-bug: #1649138 Change-Id: I193c9537c107092e48f7ea1d25ff9c17f872c15b ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1649138 Title: Initial LDAP bind occurs inconsistently depending on deployment configuration Status in OpenStack Identity (keystone): Fix Released Bug description: Some operators configure their LDAP identity backends to allow anonymous binds for access to read-only information. This is a valid configuration within keystone, as keystone does not require LDAP credentials to be set in its config. Currently, if keystone is given LDAP credentials, it will attempt an initial authenticated bind at the same time that it creates a connection object[1]. If keystone does not have LDAP credentials, the first time it attempts to bind to the LDAP server will be upon the first time it executes a query, because pyldap will automatically attempt a "reconnect[2] if necessary, so there's not normally any problem. The only reason this would be a problem would be if we were trying to do some connection validation, which arose in a recent review[3]. In order to validate the connection, the first connection needs to happen in a predictable place regardless of the method of binding. [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/common.py?h=11.0.0.0b1#n1286 [2] https://github.com/pyldap/pyldap/blob/pyldap-2.4.25.1/Lib/ldap/ldapobject.py#L1069 [3] https://review.openstack.org/#/c/390948/ To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1649138/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
