openstack/keystone
Code Issues Proposed changes

Clarify LDAP invalid credentials exception

Browse Source 
This change catches the invalid credentials exception
when binding with LDAP and responds with a more clear error
message of "Invalid username or password" instead of just
supplying the default 500 error message.

Change-Id: I523dd816333ad76cde8f18ae0fa43040a4478524
Closes-Bug: #1684994
This commit is contained in:
Gage Hugo 2017-06-20 16:13:33 -05:00
parent 9070172084
commit 91f3a2044b
4 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
keystone/exception.py
View File

@ -603,3 +603,8 @@ class CredentialEncryptionError(Exception):
class LDAPServerConnectionError(UnexpectedError): class LDAPServerConnectionError(UnexpectedError):
debug_message_format = _('Unable to establish a connection to ' debug_message_format = _('Unable to establish a connection to '
'LDAP Server (%(url)s).') 'LDAP Server (%(url)s).')
class LDAPInvalidCredentialsError(UnexpectedError):
message_format = _('Unable to authenticate against Identity backend - '
'Invalid username or password')

2
keystone/identity/backends/ldap/common.py
View File

@ -1248,6 +1248,8 @@ class BaseLdap(object):
conn.simple_bind_s() conn.simple_bind_s()
return conn return conn
except ldap.INVALID_CREDENTIALS:
raise exception.LDAPInvalidCredentialsError()
except ldap.SERVER_DOWN: except ldap.SERVER_DOWN:
raise exception.LDAPServerConnectionError( raise exception.LDAPServerConnectionError(
url=self.LDAP_URL) url=self.LDAP_URL)

7
keystone/tests/unit/test_backend_ldap.py
View File

@ -1054,6 +1054,13 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase):
name=u'Default') name=u'Default')
self.assertEqual([default_domain], domains) self.assertEqual([default_domain], domains)
def test_authenticate_wrong_credentials(self):
self.assertRaises(exception.LDAPInvalidCredentialsError,
self.identity_api.driver.user.get_connection,
user='demo',
password='demo',
end_user_auth=True)
def test_configurable_allowed_project_actions(self): def test_configurable_allowed_project_actions(self):
domain = self._get_domain_fixture() domain = self._get_domain_fixture()
project = unit.new_project_ref(domain_id=domain['id']) project = unit.new_project_ref(domain_id=domain['id'])

8
releasenotes/notes/bug-1684994-264fb8f182ced180.yaml Normal file
View File

@ -0,0 +1,8 @@
---
fixes:
- |
[`bug 1684994 <https://bugs.launchpad.net/keystone/+bug/1684994>`_]
This catches the ldap.INVALID_CREDENTIALS exception thrown when
trying to connect to an LDAP backend with an invalid username
or password, and emits a message back to the user instead of
the default 500 error message.