commit 459000d7aa3fa1ace05c800ff1273b99fbd8babe
Author: Nick Wilburn <email address hidden>
Date: Sat Aug 11 14:21:11 2018 -0700
fix ldappool bad password retry logic
This patch fixes a bug in ldappool which causes a bind attempt
utilizing a bad password to be retried until the retry limit has been
reached. Instead ldappool will now break out of the retry loop if the
ldap connection try block catches a ldap.INVALID_PASSWORD exception.
Previously ldappool would attempt to catch ldap.LDAPError which is
the base exception class for all ldap errors in the python-ldap
library. This is an issue because Keystone by default enables
ldappool and configures the default retry value to be 3. An LDAP
server with a password lockout threshold of 3 bad passwords will
lock out a user after a single bad password attempt through Keystone.
Reviewed: https:/ /review. openstack. org/591174 /git.openstack. org/cgit/ openstack/ ldappool/ commit/ ?id=459000d7aa3 fa1ace05c800ff1 273b99fbd8babe
Committed: https:/
Submitter: Zuul
Branch: master
commit 459000d7aa3fa1a ce05c800ff1273b 99fbd8babe
Author: Nick Wilburn <email address hidden>
Date: Sat Aug 11 14:21:11 2018 -0700
fix ldappool bad password retry logic
This patch fixes a bug in ldappool which causes a bind attempt PASSWORD exception.
utilizing a bad password to be retried until the retry limit has been
reached. Instead ldappool will now break out of the retry loop if the
ldap connection try block catches a ldap.INVALID_
Previously ldappool would attempt to catch ldap.LDAPError which is
the base exception class for all ldap errors in the python-ldap
library. This is an issue because Keystone by default enables
ldappool and configures the default retry value to be 3. An LDAP
server with a password lockout threshold of 3 bad passwords will
lock out a user after a single bad password attempt through Keystone.
Change-Id: I2a9b850ce97726 0d4df1e9edf8641 7b8042a6fb8
Closes-Bug: #1785898