OpenStack Identity (keystone)

Configurable actions on LDAP backend in users, tenants and roles

Bug #1052929 reported by Jose Castro Leon on 2012-09-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Undecided	Jose Castro Leon	OpenStack Identity (keystone) 2013.1 "grizzly"

Bug Description

In our environment we have an enterprise identity service that uses Active Directory, and manages the complete lifecycle of an account. LDAP backend allows to create accounts and there is no way to disable this behaviour. The proposal is to have some extra parameters that allows to disable user operations so we can still rely on our enterprise identity service and use the accounts from AD as well.

Jose Castro Leon (jose-castro-leon) on 2012-09-19

Changed in keystone:
assignee:	nobody → Jose Castro Leon (jose-castro-leon)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-09-20: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/13339

Changed in keystone:
status:	New → In Progress

Revision history for this message

Ivan Bondarev (vanch-deactivatedaccount) wrote on 2012-09-20: Re: Configurable actions on LDAP backend in users

This should be controlled by domain policies of ldap_user, isn't it?

Revision history for this message

Jose Castro Leon (jose-castro-leon) wrote on 2012-09-20:

You can use a read-only account on this part of the tree using LDAP permissions, and receive a nice exception in every operation that you do on user create, update and delete. This is another security measure if the LDAP permissions are not set or badly configured.

Revision history for this message

Ivan Bondarev (vanch-deactivatedaccount) wrote on 2012-09-25:

You can also raise nice exception on rights absence. And "one more check"... I still think it's bad. We shouldn't rely AD management on keystone.

Revision history for this message

Jose Castro Leon (jose-castro-leon) wrote on 2012-10-05:

As suggested by Adam Young, the implementation will allow configure actions on Tenants and Roles as well

summary:

- Configurable actions on LDAP backend in users
+ Configurable actions on LDAP backend in users, tenants and roles

Jose Castro Leon (jose-castro-leon) on 2012-10-08

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-10-09: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/13339
Committed: http://github.com/openstack/keystone/commit/8152c2cb8698ce1fc868c02f2fa4d4301afc5738
Submitter: Jenkins
Branch: master

commit 8152c2cb8698ce1fc868c02f2fa4d4301afc5738
Author: Jose Castro Leon <email address hidden>
Date: Thu Sep 20 09:15:05 2012 +0200

Configurable actions on LDAP backend in users Active Directory (bug 1052929)

Change-Id: I99092eb4aee3b3b1b9cf297561577f1915c0e886

Jose Castro Leon (jose-castro-leon) on 2012-10-11

Changed in keystone:
status:	Fix Committed → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-10-12:

Do not set to FixReleased until the fix is released in a milestone, thanks. This will be done automatically.

Changed in keystone:
status:	Fix Released → Fix Committed

Thierry Carrez (ttx) on 2012-11-22

Changed in keystone:
milestone:	none → grizzly-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-04-04

Changed in keystone:
milestone:	grizzly-1 → 2013.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Related blueprints

ActiveDirectory based LDAP back-end

Remote bug watches

Bug watches keep track of this bug in other bug trackers.