Allow LDAP account lock attributes to be used as enable attributes
Bug #1337029 reported by
Nathan Kinder
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Wishlist
|
Nathan Kinder |
Bug Description
Some LDAP servers support disabling accounts via a boolean "lock" attribute. For these servers, a value in LDAP of "True" means that the account is locked, while a value of "False" means the account is active. Keystone currently expects a boolean "enabled" attribute where "True" means the account is enabled and "False" means the account is disabled.
To support LDAP account lock attributes, we need a way to tell Keystone that the boolean values from LDAP are inverted. This will avoid the need for an admin to create custom schema for a new "enabled" attribute or to use the emulated enabled group feature (which adds significant LDAP operation overhead as seen by packet capture).
Changed in keystone: | |
assignee: | nobody → Nathan Kinder (nkinder) |
Changed in keystone: | |
importance: | Undecided → Critical |
importance: | Critical → Wishlist |
tags: | added: ldap |
Changed in keystone: | |
milestone: | none → juno-3 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | juno-3 → 2014.2 |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/104408
Review: https:/