allow unauthenticated connections to an LDAP server

Fixes: bug 1119495 Change-Id: I13cdc212752f212ecf59a6a83f8f32c042ccf6e0
2013-02-08 17:35:19 +01:00 · 2013-02-08 17:35:19 +01:00 · cfb3fdb5ec
commit cfb3fdb5ec
parent e0f8a1bbac
2 changed files with 25 additions and 7 deletions
--- a/keystone/config.py
+++ b/keystone/config.py
@ -148,13 +148,14 @@ register_int('max_token_size', default=8192)
 # identity
 register_str('default_domain_id', group='identity', default='default')

-#ssl options
+# ssl
 register_bool('enable', group='ssl', default=False)
 register_str('certfile', group='ssl', default=None)
 register_str('keyfile', group='ssl', default=None)
 register_str('ca_certs', group='ssl', default=None)
 register_bool('cert_required', group='ssl', default=False)
-#signing options
+
+# signing
 register_str('token_format', group='signing',
             default="PKI")
 register_str('certfile', group='signing',
@ -168,7 +169,7 @@ register_int('valid_days', group='signing', default=3650)
 register_str('ca_password', group='signing', default=None)


-# sql options
+# sql
 register_str('connection', group='sql', default='sqlite:///keystone.db')
 register_int('idle_timeout', group='sql', default=200)

@ -187,10 +188,10 @@ register_str('driver', group='stats',
             default='keystone.contrib.stats.backends.kvs.Stats')


-#ldap
+# ldap
 register_str('url', group='ldap', default='ldap://localhost')
-register_str('user', group='ldap', default='dc=Manager,dc=example,dc=com')
-register_str('password', group='ldap', default='freeipa4all')
+register_str('user', group='ldap', default=None)
+register_str('password', group='ldap', default=None)
 register_str('suffix', group='ldap', default='cn=example,cn=com')
 register_bool('use_dumb_member', group='ldap', default=False)
 register_str('dumb_member', group='ldap', default='cn=dumb,dc=nonexistent')
@ -247,7 +248,8 @@ register_list('group_attribute_ignore', group='ldap', default='')
 register_bool('group_allow_create', group='ldap', default=True)
 register_bool('group_allow_update', group='ldap', default=True)
 register_bool('group_allow_delete', group='ldap', default=True)
-#pam
+
+# pam
 register_str('url', group='pam', default=None)
 register_str('userid', group='pam', default=None)
 register_str('password', group='pam', default=None)
--- a/tests/test_backend_ldap.py
+++ b/tests/test_backend_ldap.py
@ -396,6 +396,22 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
        user_ref = self.identity_api.get_user('fake1')
        self.assertEqual(user_ref['enabled'], True)

+    def test_user_api_get_connection_no_user_password(self):
+        """Don't bind in case the user and password are blank"""
+        self.config([test.etcdir('keystone.conf.sample'),
+                     test.testsdir('test_overrides.conf')])
+        CONF.ldap.url = "fake://memory"
+        user_api = identity_ldap.UserApi(CONF)
+        self.stubs.Set(fakeldap, 'FakeLdap',
+                       self.mox.CreateMock(fakeldap.FakeLdap))
+        # we have to track all calls on 'conn' to make sure that
+        # conn.simple_bind_s is not called
+        conn = self.mox.CreateMockAnything()
+        conn = fakeldap.FakeLdap(CONF.ldap.url).AndReturn(conn)
+        self.mox.ReplayAll()
+
+        user_api.get_connection(user=None, password=None)
+
 # TODO (henry-nash) These need to be removed when the full LDAP implementation
 # is submitted - see BugL #1092187
    def test_group_crud(self):