Configurable actions on LDAP backend in users, tenants and roles

Bug #1052929 reported by Jose Castro Leon on 2012-09-19
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
Jose Castro Leon

Bug Description

In our environment we have an enterprise identity service that uses Active Directory, and manages the complete lifecycle of an account. LDAP backend allows to create accounts and there is no way to disable this behaviour. The proposal is to have some extra parameters that allows to disable user operations so we can still rely on our enterprise identity service and use the accounts from AD as well.

Changed in keystone:
assignee: nobody → Jose Castro Leon (jose-castro-leon)

Fix proposed to branch: master
Review: https://review.openstack.org/13339

Changed in keystone:
status: New → In Progress

This should be controlled by domain policies of ldap_user, isn't it?

You can use a read-only account on this part of the tree using LDAP permissions, and receive a nice exception in every operation that you do on user create, update and delete. This is another security measure if the LDAP permissions are not set or badly configured.

You can also raise nice exception on rights absence. And "one more check"... I still think it's bad. We shouldn't rely AD management on keystone.

As suggested by Adam Young, the implementation will allow configure actions on Tenants and Roles as well

summary: - Configurable actions on LDAP backend in users
+ Configurable actions on LDAP backend in users, tenants and roles
Changed in keystone:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/13339
Committed: http://github.com/openstack/keystone/commit/8152c2cb8698ce1fc868c02f2fa4d4301afc5738
Submitter: Jenkins
Branch: master

commit 8152c2cb8698ce1fc868c02f2fa4d4301afc5738
Author: Jose Castro Leon <email address hidden>
Date: Thu Sep 20 09:15:05 2012 +0200

    Configurable actions on LDAP backend in users Active Directory (bug 1052929)

    Change-Id: I99092eb4aee3b3b1b9cf297561577f1915c0e886

Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) wrote :

Do not set to FixReleased until the fix is released in a milestone, thanks. This will be done automatically.

Changed in keystone:
status: Fix Released → Fix Committed
Thierry Carrez (ttx) on 2012-11-22
Changed in keystone:
milestone: none → grizzly-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-04-04
Changed in keystone:
milestone: grizzly-1 → 2013.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers