yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #19877
[Bug 1365456] [NEW] Keystone ldap driver should allow for a mechanism to propogate ldap messages when needed
Public bug reported:
The ldap driver overwrites any error messages seen during binding with User Name/Password invalid.
Need a mechanism to allow for propagating the messages further based on some configuration.
Example, ldap may be configured to lock an account on multiple auth
failures, in such case the user should know his account is locked.
I did this by modifying code as follows.
"/usr/lib/python2.6/site-packages/keystone/auth/plugins/password.py" -
changes from line 125 to 126
115 try:
116 self.identity_api.authenticate(
117 context,
118 user_id=user_info.user_id,
119 password=user_info.password,
120 domain_scope=user_info.domain_id)
121 except AssertionError as e:
122 # authentication failed because of invalid username or password
123 msg = _('Invalid username or password')
124
125 if str(e) == "Error, Account is locked":
126 msg = _('Error, Account is locked')
vim /usr/lib/python2.6/site-packages/keystone/identity/backends/ldap.py - changes from line 67 to 69
53
54 def authenticate(self, user_id, password):
55 try:
56 user_ref = self._get_user(user_id)
57 except exception.UserNotFound:
58 raise AssertionError(_('Invalid user / password'))
59 if not user_id or not password:
60 raise AssertionError(_('Invalid user / password'))
61 conn = None
62 try:
63 conn = self.user.get_connection(self.user._id_to_dn(user_id),
64 password)
65 if not conn:
66 raise AssertionError(_('Invalid user / password'))
67 except ldap.UNWILLING_TO_PERFORM as e:
68 raise AssertionError(e[0]['info'])
69 except Exception:
70 raise AssertionError(_('Invalid user / password'))
71 finally:
72 if conn:
73 conn.unbind_s()
74 return identity.filter_user(user_ref)
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1365456
Title:
Keystone ldap driver should allow for a mechanism to propogate ldap
messages when needed
Status in OpenStack Identity (Keystone):
New
Bug description:
The ldap driver overwrites any error messages seen during binding with User Name/Password invalid.
Need a mechanism to allow for propagating the messages further based on some configuration.
Example, ldap may be configured to lock an account on multiple auth
failures, in such case the user should know his account is locked.
I did this by modifying code as follows.
"/usr/lib/python2.6/site-packages/keystone/auth/plugins/password.py" -
changes from line 125 to 126
115 try:
116 self.identity_api.authenticate(
117 context,
118 user_id=user_info.user_id,
119 password=user_info.password,
120 domain_scope=user_info.domain_id)
121 except AssertionError as e:
122 # authentication failed because of invalid username or password
123 msg = _('Invalid username or password')
124
125 if str(e) == "Error, Account is locked":
126 msg = _('Error, Account is locked')
vim /usr/lib/python2.6/site-packages/keystone/identity/backends/ldap.py - changes from line 67 to 69
53
54 def authenticate(self, user_id, password):
55 try:
56 user_ref = self._get_user(user_id)
57 except exception.UserNotFound:
58 raise AssertionError(_('Invalid user / password'))
59 if not user_id or not password:
60 raise AssertionError(_('Invalid user / password'))
61 conn = None
62 try:
63 conn = self.user.get_connection(self.user._id_to_dn(user_id),
64 password)
65 if not conn:
66 raise AssertionError(_('Invalid user / password'))
67 except ldap.UNWILLING_TO_PERFORM as e:
68 raise AssertionError(e[0]['info'])
69 except Exception:
70 raise AssertionError(_('Invalid user / password'))
71 finally:
72 if conn:
73 conn.unbind_s()
74 return identity.filter_user(user_ref)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1365456/+subscriptions
Follow ups
References
