OpenStack Identity (keystone)

Create/Update Domain config with LDAP requires validation for User Bind Distinguished Name, User Tree Distinguished Name,Group Tree Distinguished Name

Bug #1506062 reported by Prashant
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
New
Medium
Unassigned

Bug Description

Validation is required for the fields - user_tree_dn( User Tree Distinguished Name), group_tree_dn(Group Tree Distinguished Name ), user (User Bind Distinguished Name) for both create and update domain config APIs. Currently the following issues occur:

1. If the user ("user bind name") contains invalid characters, then connection to the LDAP server for any of the operations fails.
2. If the user_tree_dn contains invalid characters, then any operation on users for the LDAP server fails. eg. list all users
3. If the group_tree_dn contains invalid characters, then any operation on groups for the LDAP server fails. eg. list all groups

We believe that there should be a check on these 3 attribute values for invalid characters for the following APIs:

1. Create Domain config ({{url}}/v3/domains/02ce011944aa4021b576c01e3c423d9f/config, PUT)
2. Update Domain config ({{url}}/v3/domains/02ce011944aa4021b576c01e3c423d9f/config, PATCH)

The current API returns success even when these attribute values contain invalid characters from an LDAP perspective.

Prashant (prashant-pb86)
summary: - Create IDP with LDAP requires validation for UDN,User Bind Distinguished
- Name, User Tree Distinguished Name,Group Tree Distinguished Name
+ Create/Update Domain config with LDAP requires validation for User Bind
+ Distinguished Name, User Tree Distinguished Name,Group Tree
+ Distinguished Name
Dolph Mathews (dolph)
tags: added: user-experience
Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
tags: added: low-hanging-fruit
Tom Cocozzello (tjcocozz-deactivatedaccount)
Changed in keystone:
assignee: nobody → Tom Cocozzello (tjcocozz)
Revision history for this message
Tom Cocozzello (tjcocozz-deactivatedaccount) wrote :

Prashant, Do you have a scenario where i can recreate this? For the user bind name I don't think the format matters and the user_tree_dn and group_tree_dn there are specific format that are set by LDAP.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/241005

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Tom Cocozzello (<email address hidden>) on branch: master
Review: https://review.openstack.org/241005
Reason: Validating config is not what keystone does making this bug is invalid.

Revision history for this message
Tom Cocozzello (tjcocozz-deactivatedaccount) wrote :

Sorry, I didn't have time to continue working on this bug. A good thing to note is keystone does not validate any of their config options.

Changed in keystone:
assignee: Tom Cocozzello (tjcocozz) → nobody
status: In Progress → New
Revision history for this message
Steve Martinelli (stevemar) wrote :

marking as dupe of 1517037

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.