ldappool

  1. Bug #1785898
  2. Comment #3

Comment 3 for bug 1785898

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ldappool (master)

Reviewed: https://review.openstack.org/591174
Committed: https://git.openstack.org/cgit/openstack/ldappool/commit/?id=459000d7aa3fa1ace05c800ff1273b99fbd8babe
Submitter: Zuul
Branch: master

commit 459000d7aa3fa1ace05c800ff1273b99fbd8babe
Author: Nick Wilburn <email address hidden>
Date: Sat Aug 11 14:21:11 2018 -0700

    fix ldappool bad password retry logic

    This patch fixes a bug in ldappool which causes a bind attempt
    utilizing a bad password to be retried until the retry limit has been
    reached. Instead ldappool will now break out of the retry loop if the
    ldap connection try block catches a ldap.INVALID_PASSWORD exception.

    Previously ldappool would attempt to catch ldap.LDAPError which is
    the base exception class for all ldap errors in the python-ldap
    library. This is an issue because Keystone by default enables
    ldappool and configures the default retry value to be 3. An LDAP
    server with a password lockout threshold of 3 bad passwords will
    lock out a user after a single bad password attempt through Keystone.

    Change-Id: I2a9b850ce977260d4df1e9edf86417b8042a6fb8
    Closes-Bug: #1785898