← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #40211

[Bug 1506062] [NEW] Create/Update Domain config with LDAP requires validation for User Bind Distinguished Name, User Tree Distinguished Name, Group Tree Distinguished Name

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Validation is required for the fields - user_tree_dn( User Tree
Distinguished Name), group_tree_dn(Group Tree Distinguished Name ), user
(User Bind Distinguished Name) for both create and update domain config
APIs. Currently the following issues occur:

1. If the user ("user bind name") contains invalid characters, then connection to the LDAP server for any of the operations fails.
2. If the user_tree_dn contains invalid characters, then any operation on users for the LDAP server fails. eg. list all users
3.  If the group_tree_dn contains invalid characters, then any operation on groups for the LDAP server fails. eg. list all groups


We believe that there should be a check on these 3 attribute values for invalid characters for the following APIs:

1. Create Domain config ({{url}}/v3/domains/02ce011944aa4021b576c01e3c423d9f/config, PUT)
2. Update Domain config ({{url}}/v3/domains/02ce011944aa4021b576c01e3c423d9f/config, PATCH)


The current API returns success even when these attribute values contain invalid characters from an LDAP perspective.

** Affects: keystone
     Importance: Undecided
         Status: New

** Summary changed:

- Create IDP with LDAP requires validation for UDN,User Bind Distinguished Name, User Tree Distinguished Name,Group Tree Distinguished Name 
+ Create/Update Domain config with LDAP requires validation for User Bind Distinguished Name, User Tree Distinguished Name,Group Tree Distinguished Name

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1506062

Title:
  Create/Update Domain config with LDAP requires validation for User
  Bind Distinguished Name, User Tree Distinguished Name,Group Tree
  Distinguished Name

Status in Keystone:
  New

Bug description:
  Validation is required for the fields - user_tree_dn( User Tree
  Distinguished Name), group_tree_dn(Group Tree Distinguished Name ),
  user (User Bind Distinguished Name) for both create and update domain
  config APIs. Currently the following issues occur:

  1. If the user ("user bind name") contains invalid characters, then connection to the LDAP server for any of the operations fails.
  2. If the user_tree_dn contains invalid characters, then any operation on users for the LDAP server fails. eg. list all users
  3.  If the group_tree_dn contains invalid characters, then any operation on groups for the LDAP server fails. eg. list all groups

  
  We believe that there should be a check on these 3 attribute values for invalid characters for the following APIs:

  1. Create Domain config ({{url}}/v3/domains/02ce011944aa4021b576c01e3c423d9f/config, PUT)
  2. Update Domain config ({{url}}/v3/domains/02ce011944aa4021b576c01e3c423d9f/config, PATCH)

  
  The current API returns success even when these attribute values contain invalid characters from an LDAP perspective.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1506062/+subscriptions
  Thread PreviousDate PreviousThread Next