OpenStack Identity (keystone)

The ldap driver needs to bubble up some ldap exceptions

Bug #1373232 reported by Mahesh Sawaiker
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Won't Fix
Low
Unassigned

Bug Description

LDAP driver can bubble up some exceptions as 400 errors.
Example ldap.CONSTRAINT_VIOLATION and ldap.UNWILLING

    def update_user(self, user_id, user):
        self.user.check_allow_update()
        if 'id' in user and user['id'] != user_id:
            raise exception.ValidationError(_('Cannot change user ID'))
        old_obj = self.user.get(user_id)
        #Defect 118381, user name update in ldap should be allowed.
        #if 'name' in user and old_obj.get('name') != user['name']:
          # raise exception.Conflict(_('Cannot change user name'))

        #user = utils.hash_ldap_user_password(user)
        if self.user.enabled_mask:
            self.user.mask_enabled_attribute(user)
        try:
                self.user.update(user_id, user, old_obj)
        except ldap.CONSTRAINT_VIOLATION as e:
            if 'info' in e[0]:
                raise exception.ValidationError(e[0]['info'])
            else:
                raise AssertionError(_('Error updating user'))
        return self.user.get_filtered(user_id)

https://github.com/openstack/keystone/blob/1af24284bdc093dae4f027ade2ddb29656b676f0/keystone/identity/backends/ldap.py#L95-L111

See original description
Lance Bragstad (lbragstad)
tags: added: ldap user-experience
description: updated
Revision history for this message
Adam Young (ayoung) wrote :

Please explain why this is a problem.

Revision history for this message
Mahesh Sawaiker (mahesh-sawaiker) wrote :

We have password history repetition check, user lockout and password expiration.
This false bubbles up as a 500 error or a 401, I am not sure if all the LDAP implementations give proper messages.
There is no way for the user to know his password has expired, account locked out or that the new password used is already present in history.
I know it may not be possible to handle all possible scenarios, but if LDAP server implementations are uniform (I am not sure if they are). Then it can be done in a uniform way so that it works for most cases. Or it can be made configurable for the LDAP driver.

Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

this hass been deprioritized as new code will be developed (py3 compat) based on the ldap3 library. this has also been tagged as ldap-legacy so that the bug can be closed/addressed when the new isolated ldap3-based driver has been created and the old ldap driver can be deprecated.

The bug wont be closed until the current ldap driver is deprecated in favor of the ldap3-based driver (in case the direction shifts again)

Changed in keystone:
importance: Medium → Low
tags: added: ldap-legacy
Revision history for this message
David Stanek (dstanek) wrote :

LDAP is now read-only so this specific issue no longer applies. Please re-open if you still have problems that are unrelated to writing.

Changed in keystone:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.