From 1c26319634ed7f1023e222bec1f26f4569939382 Mon Sep 17 00:00:00 2001
From: Jose Castro Leon <jose.castro.leon@cern.ch>
Date: Tue, 4 Jun 2013 11:59:35 -0400
Subject: [PATCH] Force simple Bind for authentication

The authentication code was using a common code path with
other LDAP code that got an LDAP connection.  If the system
was configured to do Anonymous binding, users could by pass
the authentication check.

This patch forces the authentication code to do a simple_bind.

Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
---
 keystone/identity/backends/ldap/core.py | 14 +-------------
 tests/test_backend_ldap.py              | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
index 1fad1120667f4d86f6d05c0109827be7e2160248..c5adf976267cb451c1162ae1bbc077a780a2b457 100644
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@@ -52,18 +52,6 @@ class Identity(identity.Driver):
         self.role = RoleApi(CONF)
         self.group = GroupApi(CONF)
 
-    def get_connection(self, user=None, password=None):
-        if self.LDAP_URL.startswith('fake://'):
-            conn = fakeldap.FakeLdap(self.LDAP_URL)
-        else:
-            conn = common_ldap.LdapWrapper(self.LDAP_URL)
-        if user is None:
-            user = self.LDAP_USER
-        if password is None:
-            password = self.LDAP_PASSWORD
-        conn.simple_bind_s(user, password)
-        return conn
-
     def _validate_domain(self, ref):
         """Validate that either the default domain or nothing is specified.
 
@@ -111,7 +99,7 @@ class Identity(identity.Driver):
 
         try:
             conn = self.user.get_connection(self.user._id_to_dn(user_id),
-                                            password)
+                                            password, allow_anonymous=False)
             if not conn:
                 raise AssertionError('Invalid user / password')
         except Exception:
diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
index c0bceea52a6b550736146c88cacdc2fccb72053f..b2e33ee2c379e5662d07de8fbb0458a5acee647a 100644
--- a/tests/test_backend_ldap.py
+++ b/tests/test_backend_ldap.py
@@ -595,6 +595,26 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
               'name': 'Default',
               'enabled': True}])
 
+    def test_authenticate_requires_simple_bind(self):
+        user = {
+            'id': 'no_meta',
+            'name': 'NO_META',
+            'domain_id': test_backend.DEFAULT_DOMAIN_ID,
+            'password': 'no_meta2',
+            'enabled': True,
+        }
+        self.identity_man.create_user({}, user['id'], user)
+        self.identity_api.add_user_to_project(self.tenant_baz['id'],
+                                              user['id'])
+        self.identity_api.user.LDAP_USER = None
+        self.identity_api.user.LDAP_PASSWORD = None
+
+        self.assertRaises(AssertionError,
+                          self.identity_api.authenticate,
+                          user_id=user['id'],
+                          tenant_id=self.tenant_baz['id'],
+                          password=None)
+
 
 class LDAPIdentityEnabledEmulation(LDAPIdentity):
     def setUp(self):
-- 
1.8.1.4