OpenStack Identity (keystone)

Initial LDAP bind occurs inconsistently depending on deployment configuration

Bug #1649138 reported by Colleen Murphy on 2016-12-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Colleen Murphy	OpenStack Identity (keystone) ocata-3 "o3"

Bug Description

Some operators configure their LDAP identity backends to allow anonymous binds for access to read-only information. This is a valid configuration within keystone, as keystone does not require LDAP credentials to be set in its config. Currently, if keystone is given LDAP credentials, it will attempt an initial authenticated bind at the same time that it creates a connection object[1]. If keystone does not have LDAP credentials, the first time it attempts to bind to the LDAP server will be upon the first time it executes a query, because pyldap will automatically attempt a "reconnect[2] if necessary, so there's not normally any problem. The only reason this would be a problem would be if we were trying to do some connection validation, which arose in a recent review[3]. In order to validate the connection, the first connection needs to happen in a predictable place regardless of the method of binding.

[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/common.py?h=11.0.0.0b1#n1286
[2] https://github.com/pyldap/pyldap/blob/pyldap-2.4.25.1/Lib/ldap/ldapobject.py#L1069
[3] https://review.openstack.org/#/c/390948/

OpenStack Infra (hudson-openstack) on 2016-12-11

Changed in keystone:
assignee:	nobody → Colleen Murphy (krinkle)
status:	New → In Progress

OpenStack Infra (hudson-openstack) on 2017-01-09

Changed in keystone:
assignee:	Colleen Murphy (krinkle) → Steve Martinelli (stevemar)

Steve Martinelli (stevemar) on 2017-01-12

Changed in keystone:
importance:	Undecided → Medium
assignee:	Steve Martinelli (stevemar) → Colleen Murphy (krinkle)

Steve Martinelli (stevemar) on 2017-01-12

Changed in keystone:
milestone:	none → ocata-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-12: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/407561
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f8ee249bf08cefd8468aa15c589dab48bd5c4cd8
Submitter: Jenkins
Branch: master

commit f8ee249bf08cefd8468aa15c589dab48bd5c4cd8
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 6 15:40:02 2016 +0100

Add anonymous bind to get_connection method

    If no username and password is specified in the keystone ldap
    configuration, it may still be possible to bind to an LDAP server
    anonymously if the LDAP server is configured to allow it. Currently,
    upon creating a connection object, keystone only attempts to bind to
    the LDAP server if a username and password has been provided to it.
    This would rarely be an issue because pyldap attempts a reconnect upon
    executing any ldap command, if necessary, and hence the anonymous bind
    just happens later. It is a problem now because logic was added[1] to
    check if the server errored during that initial connection, and for it
    to work correctly the initial connection needs to happen in a
    predictable place. This patch adds an anonymous bind to the
    get_connection method so that no matter the credential configuration
    the initial connection is consistent.

    This required adding mocks to many of the LDAP backend tests since
    every LDAP interaction now attempts a simple_bind_s() regardless of
    whether credentials are configured in keystone.

[1] https://review.openstack.org/#/c/390948

Closes-bug: #1649138

Change-Id: I193c9537c107092e48f7ea1d25ff9c17f872c15b