Comment 34 for bug 1434034
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: Even if the user is disabled, can use the last token is validated | #34 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Morgan, Icehouse EOL is 15 month after its release, so it won't happen until somewhere in July... So we'll need a fix there too.
Title: User token revocation does not work with read-only LDAP backend
Reporter: Yukihiro KAWADA (GMO Internet, Inc)
Products: Keystone
Affects: up to 2014.1.4 and 2014.2 versions through 2014.2.2
Description:
Yukihiro KAWADA from GMO Internet, Inc reported a vulnerability in Keystone read-only LDAP backend. When a user or group is disabled/deleted, the tokens for those users (or authorization for the users in the group) will not be revoked at all and will only expire according to the tokens expiration date. Only setups using a read-only LDAP backend in Keystone are affected.