f8ee249bf0
If no username and password is specified in the keystone ldap configuration, it may still be possible to bind to an LDAP server anonymously if the LDAP server is configured to allow it. Currently, upon creating a connection object, keystone only attempts to bind to the LDAP server if a username and password has been provided to it. This would rarely be an issue because pyldap attempts a reconnect upon executing any ldap command, if necessary, and hence the anonymous bind just happens later. It is a problem now because logic was added[1] to check if the server errored during that initial connection, and for it to work correctly the initial connection needs to happen in a predictable place. This patch adds an anonymous bind to the get_connection method so that no matter the credential configuration the initial connection is consistent. This required adding mocks to many of the LDAP backend tests since every LDAP interaction now attempts a simple_bind_s() regardless of whether credentials are configured in keystone. [1] https://review.openstack.org/#/c/390948 Closes-bug: #1649138 Change-Id: I193c9537c107092e48f7ea1d25ff9c17f872c15b
10 lines
387 B
YAML
10 lines
387 B
YAML
---
|
|
fixes:
|
|
- >
|
|
[`bug 1649138 <https://bugs.launchpad.net/keystone/+bug/1649138>`_]
|
|
When using LDAP as an identity backend, the initial bind will now
|
|
occur upon creation of a connection object, i.e. early on when
|
|
performing LDAP queries, no matter whether the bind is
|
|
authenticated or anonymous, so that any connection errors can be
|
|
handled correctly and early.
|