yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1209440] Re: LDAP identity still allows setting domain via attribute

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 02 Oct 2013 11:30:02 -0000
Reply-to: Bug 1209440 <1209440@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1209440

Title:
  LDAP identity still allows setting domain via attribute

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  At keystone/identity/backends/ldap.py:230 we allow mapping domain_id
  of a user based on the attribute specified in
  conf.ldap.user_domain_id_attribute which defaults to
  'businessCategory'.

  My understanding is that this is no longer required and should no
  longer be allowed and indeed in practice it completely overrides any
  domain information that is provided in the authentication body.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1209440/+subscriptions