Comment 5 for bug 1178032
Revision history for this message
| Brant Knudson (blk-u) wrote Re: ldap list members returns passwords | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Taking a stab at Thierry's comments in #1:
"Should the attributes be filtered on Keystone side, or rather not be handed out by the LDAP server itself ?"
I think that if they Keystone server were configured to bind to the LDAP server as a non-administrator then the LDAP server would not include passwords in the response. So part of this is a configuration issue.
"Who can list those users ?"
Keystone's policy can be configured so that anybody can list group members. The default is admin only:
"identity:
"Doesn't that role already involve modifying the group members password ?"
Yes, this is probably the case. If the Keystone server is configured to bind to LDAP as admin, then the Keystone admin has the LDAP admin password.