f8ee249bf0
If no username and password is specified in the keystone ldap configuration, it may still be possible to bind to an LDAP server anonymously if the LDAP server is configured to allow it. Currently, upon creating a connection object, keystone only attempts to bind to the LDAP server if a username and password has been provided to it. This would rarely be an issue because pyldap attempts a reconnect upon executing any ldap command, if necessary, and hence the anonymous bind just happens later. It is a problem now because logic was added[1] to check if the server errored during that initial connection, and for it to work correctly the initial connection needs to happen in a predictable place. This patch adds an anonymous bind to the get_connection method so that no matter the credential configuration the initial connection is consistent. This required adding mocks to many of the LDAP backend tests since every LDAP interaction now attempts a simple_bind_s() regardless of whether credentials are configured in keystone. [1] https://review.openstack.org/#/c/390948 Closes-bug: #1649138 Change-Id: I193c9537c107092e48f7ea1d25ff9c17f872c15b |
||
---|---|---|
api-ref/source | ||
config-generator | ||
devstack | ||
doc | ||
etc | ||
examples/pki | ||
httpd | ||
keystone | ||
keystone_tempest_plugin | ||
rally-jobs | ||
releasenotes | ||
tools | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.mailmap | ||
.testr.conf | ||
babel.cfg | ||
bindep.txt | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
README.rst | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
Team and repository tags
OpenStack Keystone
Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.
Developer documentation, the source of which is in
doc/source/
, is published at:
The API specification and documentation are available at:
The canonical client library is available at:
https://git.openstack.org/cgit/openstack/python-keystoneclient
Documentation for cloud administrators is available at:
The source of documentation for cloud administrators is available at:
Information about our team meeting is available at:
Bugs and feature requests are tracked on Launchpad at:
Future design work is tracked at:
http://specs.openstack.org/openstack/keystone-specs/#identity-program-specifications
Contributors are encouraged to join IRC
(#openstack-keystone
on freenode):
For information on contributing to Keystone, see
CONTRIBUTING.rst
.