Some operators configure their LDAP identity backends to allow anonymous binds for access to read-only information. This is a valid configuration within keystone, as keystone does not require LDAP credentials to be set in its config. Currently, if keystone is given LDAP credentials, it will attempt an initial authenticated bind at the same time that it creates a connection object[1]. If keystone does not have LDAP credentials, the first time it attempts to bind to the LDAP server will be upon the first time it executes a query, because pyldap will automatically attempt a "reconnect[2] if necessary, so there's not normally any problem. The only reason this would be a problem would be if we were trying to do some connection validation, which arose in a recent review[3]. In order to validate the connection, the first connection needs to happen in a predictable place regardless of the method of binding.
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/common.py?h=11.0.0.0b1#n1286
[2] https://github.com/pyldap/pyldap/blob/pyldap-2.4.25.1/Lib/ldap/ldapobject.py#L1069
[3] https://review.openstack.org/#/c/390948/
Reviewed: https:/ /review. openstack. org/407561 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=f8ee249bf08 cefd8468aa15c58 9dab48bd5c4cd8
Committed: https:/
Submitter: Jenkins
Branch: master
commit f8ee249bf08cefd 8468aa15c589dab 48bd5c4cd8
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 6 15:40:02 2016 +0100
Add anonymous bind to get_connection method
If no username and password is specified in the keystone ldap
configuration, it may still be possible to bind to an LDAP server
anonymously if the LDAP server is configured to allow it. Currently,
upon creating a connection object, keystone only attempts to bind to
the LDAP server if a username and password has been provided to it.
This would rarely be an issue because pyldap attempts a reconnect upon
executing any ldap command, if necessary, and hence the anonymous bind
just happens later. It is a problem now because logic was added[1] to
check if the server errored during that initial connection, and for it
to work correctly the initial connection needs to happen in a
predictable place. This patch adds an anonymous bind to the
get_connection method so that no matter the credential configuration
the initial connection is consistent.
This required adding mocks to many of the LDAP backend tests since
every LDAP interaction now attempts a simple_bind_s() regardless of
whether credentials are configured in keystone.
[1] https:/ /review. openstack. org/#/c/ 390948
Closes-bug: #1649138
Change-Id: I193c9537c10709 2e48f7ea1d25ff9 c17f872c15b