OpenStack Identity (keystone)

Provide config file fields for enable users in LDAP backend

Bug #1067516 reported by Adam Young on 2012-10-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Wishlist	Jose Castro Leon	OpenStack Identity (keystone) 2013.1 "grizzly"

Bug Description

To fully implement the enabled check in LDAP, the config file needs to say two things:

1. Which attribute indicates that a user is enabled or disabled
2. What value or values for that attribute indicate a user is enabled or disabled.

In addition, disabling a user might require a custom LDAPmodify call.

For some complex setups, checking for disabled users might require a more complex query. If so, we'll cover that in a different ticket.

Tags:

Revision history for this message

Jose Castro Leon (jose-castro-leon) wrote on 2012-10-16:

In Active Directory there is a field that implements that shows the status the account as well as much more data.
In this case if userAccountControl user attribute equals 2, then the account is disabled.

The only issue is that the user may not be allowed to do a simple_bind if the account is disabled.

http://support.microsoft.com/kb/305144/en

Joseph Heck (heckj) on 2012-10-20

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Wishlist

Jose Castro Leon (jose-castro-leon) on 2012-10-29

Changed in keystone:
assignee:	nobody → Jose Castro Leon (jose-castro-leon)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-10-29: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/14964

Changed in keystone:
status:	Triaged → In Progress

Jose Castro Leon (jose-castro-leon) on 2012-11-01

tags:

added: blueprint ldap-ad

OpenStack Infra (hudson-openstack) on 2012-11-13

Changed in keystone:
assignee:	Jose Castro Leon (jose-castro-leon) → Dolph Mathews (dolph)

Dolph Mathews (dolph) on 2012-11-13

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Jose Castro Leon (jose-castro-leon)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-11-13: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/14964
Committed: http://github.com/openstack/keystone/commit/001f708e7d9ffc69c80f823e7ab5f79325cc8a40
Submitter: Jenkins
Branch: master

commit 001f708e7d9ffc69c80f823e7ab5f79325cc8a40
Author: Jose Castro Leon <email address hidden>
Date: Mon Oct 29 15:07:58 2012 +0100

Provide config file fields for enable users in LDAP backend (bug1067516)

DocImpact

Change-Id: I1ee9a1e2505cdd8c9ee8acba5c0e89a4f25c7262

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-11-22

Changed in keystone:
milestone:	none → grizzly-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-04-04

Changed in keystone:
milestone:	grizzly-1 → 2013.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Related blueprints

ActiveDirectory based LDAP back-end

Remote bug watches

Bug watches keep track of this bug in other bug trackers.