yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1241134] Re: Using LDAP with enabled ignored, no error when attempt to change

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Chuck Short <chuck.short@xxxxxxxxxxxxx>
Date: Thu, 29 Jan 2015 15:04:15 -0000
Reply-to: Bug 1241134 <1241134@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: keystone/juno
   Importance: Undecided
       Status: New

** Changed in: keystone/juno
    Milestone: None => 2014.2.2

** Changed in: keystone/juno
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1241134

Title:
  Using LDAP with enabled ignored, no error when attempt to change

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone juno series:
  Fix Committed

Bug description:
  
  When the Keystone server is configured to use LDAP as the identity backend and 'enabled' is in user_attribute_ignore and then the user is disabled (for example with keystone user-update --enabled false), the server returns successful and the command doesn't report an error even though the user remains enabled.

  The server should report an error like 403 Forbidden or 501 Not
  Implemented if the user tries to change the enabled attribute and it's
  ignored.

  This would improve security since the way it is now Keystone gives the
  impression that the user has been disabled even when they have not
  been.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1241134/+subscriptions