From 1eaaf4ddb94626f3ff44931e764858161468e159 Mon Sep 17 00:00:00 2001
From: Jose Castro Leon <jose.castro.leon@cern.ch>
Date: Tue, 4 Jun 2013 11:59:35 -0400
Subject: [PATCH] Force simple Bind for authentication

The authentication code was using a common code path with
other LDAP code that got an LDAP connection.  If the system
was configured to do Anonymous binding, users could by pass
the authentication check.

This patch forces the authentication code to do a simple_bind.

Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
---
 keystone/identity/backends/ldap/core.py | 14 ++------------
 tests/test_backend_ldap.py              | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
index 1fad1120667f4d86f6d05c0109827be7e2160248..9ada436c8b2308a300966bacf8d2a7d78b118331 100644
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@@ -52,18 +52,6 @@ class Identity(identity.Driver):
         self.role = RoleApi(CONF)
         self.group = GroupApi(CONF)
 
-    def get_connection(self, user=None, password=None):
-        if self.LDAP_URL.startswith('fake://'):
-            conn = fakeldap.FakeLdap(self.LDAP_URL)
-        else:
-            conn = common_ldap.LdapWrapper(self.LDAP_URL)
-        if user is None:
-            user = self.LDAP_USER
-        if password is None:
-            password = self.LDAP_PASSWORD
-        conn.simple_bind_s(user, password)
-        return conn
-
     def _validate_domain(self, ref):
         """Validate that either the default domain or nothing is specified.
 
@@ -109,6 +97,8 @@ class Identity(identity.Driver):
         except exception.UserNotFound:
             raise AssertionError('Invalid user / password')
 
+        if not user_id or not password:
+            raise AssertionError('Invalid user / password')
         try:
             conn = self.user.get_connection(self.user._id_to_dn(user_id),
                                             password)
diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
index c0bceea52a6b550736146c88cacdc2fccb72053f..b2e33ee2c379e5662d07de8fbb0458a5acee647a 100644
--- a/tests/test_backend_ldap.py
+++ b/tests/test_backend_ldap.py
@@ -595,6 +595,26 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
               'name': 'Default',
               'enabled': True}])
 
+    def test_authenticate_requires_simple_bind(self):
+        user = {
+            'id': 'no_meta',
+            'name': 'NO_META',
+            'domain_id': test_backend.DEFAULT_DOMAIN_ID,
+            'password': 'no_meta2',
+            'enabled': True,
+        }
+        self.identity_man.create_user({}, user['id'], user)
+        self.identity_api.add_user_to_project(self.tenant_baz['id'],
+                                              user['id'])
+        self.identity_api.user.LDAP_USER = None
+        self.identity_api.user.LDAP_PASSWORD = None
+
+        self.assertRaises(AssertionError,
+                          self.identity_api.authenticate,
+                          user_id=user['id'],
+                          tenant_id=self.tenant_baz['id'],
+                          password=None)
+
 
 class LDAPIdentityEnabledEmulation(LDAPIdentity):
     def setUp(self):
-- 
1.8.1.4