openstack
/
keystone
Code Issues Proposed changes

Implicitly ignore attributes that are mapped to None in LDAP 

Attributes that are mapped to None in LDAP trigger a 500 error when
performing a search if they are not explicitly ignored in keystone's
configuration.  These attributes should always be ignored, even if
the admin left the attribute out of the ignore list.

Change-Id: Ibbabdd0013059d5720250816764021a0b3ce8ce0
Closes-bug: #1335437
This commit is contained in:
Nathan Kinder 2014-06-28 08:05:42 -07:00
parent b285c89325
commit 10a3edb780
2 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
keystone/common/ldap/core.py
View File

@ -1009,7 +1009,12 @@ class BaseLdap(object):
continue
try:
v = lower_res[self.attribute_mapping.get(k, k).lower()]
map_attr = self.attribute_mapping.get(k, k)
if map_attr is None:
# Ignore attributes that are mapped to None.
continue
v = lower_res[map_attr.lower()]
except KeyError:
pass
else:

19
keystone/tests/test_backend_ldap.py
View File

@ -631,6 +631,25 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
# If this doesn't raise, then the test is successful.
user = self.identity_api.create_user(user)
def test_unignored_user_none_mapping(self):
# Ensure that an attribute that maps to None that is not explicitly
# ignored in configuration is implicitly ignored without triggering
# an error.
conf = self.get_config(CONF.identity.default_domain_id)
conf.ldap.user_attribute_ignore = ['enabled', 'email',
'tenants', 'tenantId']
self.reload_backends(CONF.identity.default_domain_id)
user = {'name': u'fäké1',
'password': u'fäképass1',
'domain_id': CONF.identity.default_domain_id,
}
user_ref = self.identity_api.create_user(user)
# If this doesn't raise, then the test is successful.
self.identity_api.get_user(user_ref['id'])
def test_update_user_name(self):
"""A user's name cannot be changed through the LDAP driver."""
self.assertRaises(exception.Conflict,