yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1337029] Re: Allow LDAP account lock attributes to be used as enable attributes

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 04 Sep 2014 14:35:10 -0000
Reply-to: Bug 1337029 <1337029@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => juno-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1337029

Title:
  Allow LDAP account lock attributes to be used as enable attributes

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  Some LDAP servers support disabling accounts via a boolean "lock"
  attribute.  For these servers, a value in LDAP of "True" means that
  the account is locked, while a value of "False" means the account is
  active.  Keystone currently expects a boolean "enabled" attribute
  where "True" means the account is enabled and "False" means the
  account is disabled.

  To support LDAP account lock attributes, we need a way to tell
  Keystone that the boolean values from LDAP are inverted.  This will
  avoid the need for an admin to create custom schema for a new
  "enabled" attribute or to use the emulated enabled group feature
  (which adds significant LDAP operation overhead as seen by packet
  capture).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1337029/+subscriptions

References

[Bug 1337029] [NEW] Allow LDAP account lock attributes to be used as enable attributes
From: Nathan Kinder, 2014-07-03