yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1528676] Re: OpenLDAP password policy not enforced for password changes

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date: Mon, 01 Feb 2016 15:31:22 -0000
Reply-to: Bug 1528676 <1528676@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Agreed on class D, I closed the OSSA task, this could be re-opened
whenever the situation changes.

** Changed in: ossa
Status: Incomplete => Won't Fix

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1528676

Title:
OpenLDAP password policy not enforced for password changes

Status in OpenStack Identity (keystone):
New
Status in OpenStack Security Advisory:
Won't Fix

Bug description:
Hello there,
I'm on Ubuntu 14.04.3, Openstack Juno and OpenLDAP v2.4.31 releases.
I configured OpenLDAP as an identity backend for Keystone and configured it according to official documentation from:
http://docs.openstack.org/developer/keystone/configuration.html
I'd like my users to be able to change their own passwords, but at the same time OpenLDAP password policy to be enforced upon password changes. I've set to true all allow_creates, allow_updates and allow_deletes not to be restricted in any way by keystone.
The problem is the following: RootDN account is used for binding when the user is changing his/her password. OpenLDAP password policy is not enforced when RootDN performs the password change. As a result, no password policy is enforced during password change.
If I don't set LDAP user/password in keystone.conf, then users cannot change their own passwords at all.
Please recommend how I can allow the users to change their own passwords and at the same time enforce OpenLDAP password policy.
Thank you,
Nodir

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1528676/+subscriptions