yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1337029] [NEW] Allow LDAP account lock attributes to be used as enable attributes

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Thu, 03 Jul 2014 01:36:07 -0000
Reply-to: Bug 1337029 <1337029@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Some LDAP servers support disabling accounts via a boolean "lock"
attribute.  For these servers, a value in LDAP of "True" means that the
account is locked, while a value of "False" means the account is active.
Keystone currently expects a boolean "enabled" attribute where "True"
means the account is enabled and "False" means the account is disabled.

To support LDAP account lock attributes, we need a way to tell Keystone
that the boolean values from LDAP are inverted.  This will avoid the
need for an admin to create custom schema for a new "enabled" attribute
or to use the emulated enabled group feature (which adds significant
LDAP operation overhead as seen by packet capture).

** Affects: keystone
     Importance: Undecided
     Assignee: Nathan Kinder (nkinder)
         Status: In Progress

** Changed in: keystone
     Assignee: (unassigned) => Nathan Kinder (nkinder)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1337029

Title:
  Allow LDAP account lock attributes to be used as enable attributes

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  Some LDAP servers support disabling accounts via a boolean "lock"
  attribute.  For these servers, a value in LDAP of "True" means that
  the account is locked, while a value of "False" means the account is
  active.  Keystone currently expects a boolean "enabled" attribute
  where "True" means the account is enabled and "False" means the
  account is disabled.

  To support LDAP account lock attributes, we need a way to tell
  Keystone that the boolean values from LDAP are inverted.  This will
  avoid the need for an admin to create custom schema for a new
  "enabled" attribute or to use the emulated enabled group feature
  (which adds significant LDAP operation overhead as seen by packet
  capture).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1337029/+subscriptions

Follow ups

[Bug 1337029] Re: Allow LDAP account lock attributes to be used as enable attributes
From: Thierry Carrez, 2014-09-04
[Bug 1337029] [NEW] Allow LDAP account lock attributes to be used as enable attributes
From: Nathan Kinder, 2014-07-03

References

[Bug 1337029] [NEW] Allow LDAP account lock attributes to be used as enable attributes
From: Nathan Kinder, 2014-07-03