Create/Update Domain config with LDAP requires validation for User Bind Distinguished Name, User Tree Distinguished Name,Group Tree Distinguished Name
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Medium
|
Unassigned |
Bug Description
Validation is required for the fields - user_tree_dn( User Tree Distinguished Name), group_tree_dn(Group Tree Distinguished Name ), user (User Bind Distinguished Name) for both create and update domain config APIs. Currently the following issues occur:
1. If the user ("user bind name") contains invalid characters, then connection to the LDAP server for any of the operations fails.
2. If the user_tree_dn contains invalid characters, then any operation on users for the LDAP server fails. eg. list all users
3. If the group_tree_dn contains invalid characters, then any operation on groups for the LDAP server fails. eg. list all groups
We believe that there should be a check on these 3 attribute values for invalid characters for the following APIs:
1. Create Domain config ({{url}
2. Update Domain config ({{url}
The current API returns success even when these attribute values contain invalid characters from an LDAP perspective.
summary: |
- Create IDP with LDAP requires validation for UDN,User Bind Distinguished - Name, User Tree Distinguished Name,Group Tree Distinguished Name + Create/Update Domain config with LDAP requires validation for User Bind + Distinguished Name, User Tree Distinguished Name,Group Tree + Distinguished Name |
tags: | added: user-experience |
Changed in keystone: | |
importance: | Undecided → Medium |
status: | New → Triaged |
tags: | added: low-hanging-fruit |
Changed in keystone: | |
assignee: | nobody → Tom Cocozzello (tjcocozz) |
Prashant, Do you have a scenario where i can recreate this? For the user bind name I don't think the format matters and the user_tree_dn and group_tree_dn there are specific format that are set by LDAP.