ldap anonymous bind

Just an update. If I remove the values ldap-user/ldap-password from /etc/keystone/domains/keystone.domain.conf and restart the keystone service I am able to authenticate against the directory.

Anonymous bind is indeed a common pattern in LDAP architectures and it allows for increased security by not storing any credentials on the server, utilizing end user provided credentials for all operations.

It has been supported by the upstream OpenStack Keystone LDAP driver in the past.

For this to have merit we would need to verify that this still works and that it plays nicely with other non-authentication operations Keystone might attempt to do. (Admin listing of users, filtering etc)

The current version of keystone that I have installed is: 13.0.0 Queens and the keystone-ldap charm version is # 8 I have successfully listed my user id from my corporate directory without the ldap-user and ldap-password setting in my /etc/keystone/keystone.domain_ldap.conf file so I am confident that the current version of keystone does support this function.

My request would be more of an enhancement to the keystone-ldap charm to have the ability to select anonymous bind option where the user / password information would not be put into the conf file. As I said, I put dummy values in my configuration in order to satisfy the charms request that there was incomplete data when I did not enter username/password credentials using juju config keystone-ldap from the command line. The command line did not complain about missing values, but when I look at the juju gui the keystone-ldap charm was blocked.

I would like to re-raise this old wishlist item.

The charm complains (enters a blocked state) if ldap-user and/or ldap-password are blank saying the LDAP configuration is incomplete. Specifically, the charm requires ldap-server, ldap-user, ldap-password, and ldap-suffix.

https://github.com/openstack/charm-keystone-ldap/blob/master/src/lib/charm/openstack/keystone_ldap.py#L128

An update to allow anonymous bind seems like it would be as simple as allowing blank values for user and password.

I'll experiment with some charm updates and report back.

Indeed. Removing the requirement to have ldap-user and ldap-password leaves those fields blank in the /etc/keystone/domains/keystone.*.conf and keystone user works as expected. This behavior is documented in release notes (most recently fix in ocata) so I think it's reasonable to assume other functions work.

Submitting a quick patch, including notes in the readme.

I picked up dev from Vern's patch above and submitted a patch here: https://review.opendev.org/c/openstack/charm-keystone-ldap/+/847121

Reviewed: https://review.opendev.org/c/openstack/charm-keystone-ldap/+/847121
Committed: https://opendev.org/openstack/charm-keystone-ldap/commit/cb7fdb3527eda513554a521e8b594d36c168be3b
Submitter: "Zuul (22348)"
Branch: master

commit cb7fdb3527eda513554a521e8b594d36c168be3b
Author: Samuel Walladge <email address hidden>
Date: Wed Jun 22 14:19:20 2022 +0930

    Support ldap anonymous binding

    We can support this simply by allowing ldap-user and ldap-password
    configuration options to be optional.

    Closes-Bug: #1762587

    Co-authored-by: Vern Hart <email address hidden>

    Change-Id: I2668d90a58aac9d103240dc67061612358a67150

This change has been committed to the master branch but does not yet exist in any of the stable/* branches.

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/charm-keystone-ldap/+/878830

Reviewed: https://review.opendev.org/c/openstack/charm-keystone-ldap/+/878830
Committed: https://opendev.org/openstack/charm-keystone-ldap/commit/f3a12a28ce7b7f9d448712d977e8b7d30284089d
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit f3a12a28ce7b7f9d448712d977e8b7d30284089d
Author: Samuel Walladge <email address hidden>
Date: Wed Jun 22 14:19:20 2022 +0930

    Support ldap anonymous binding

    We can support this simply by allowing ldap-user and ldap-password
    configuration options to be optional.

    Closes-Bug: #1762587

    Co-authored-by: Vern Hart <email address hidden>

    Change-Id: I2668d90a58aac9d103240dc67061612358a67150
    (cherry picked from commit cb7fdb3527eda513554a521e8b594d36c168be3b)