yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1528676] Re: OpenLDAP password policy not enforced for password changes

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <1528676@xxxxxxxxxxxxxxxxxx>
Date: Tue, 15 Nov 2016 16:23:14 -0000
Reply-to: Bug 1528676 <1528676@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Write support is being removed, this will not be fixed.

** Changed in: keystone
Status: Triaged => Won't Fix

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1528676

Title:
OpenLDAP password policy not enforced for password changes

Status in OpenStack Identity (keystone):
Won't Fix
Status in OpenStack Security Advisory:
Won't Fix

Bug description:
Hello there,
I'm on Ubuntu 14.04.3, Openstack Juno and OpenLDAP v2.4.31 releases.
I configured OpenLDAP as an identity backend for Keystone and configured it according to official documentation from:
http://docs.openstack.org/developer/keystone/configuration.html
I'd like my users to be able to change their own passwords, but at the same time OpenLDAP password policy to be enforced upon password changes. I've set to true all allow_creates, allow_updates and allow_deletes not to be restricted in any way by keystone.
The problem is the following: RootDN account is used for binding when the user is changing his/her password. OpenLDAP password policy is not enforced when RootDN performs the password change. As a result, no password policy is enforced during password change.
If I don't set LDAP user/password in keystone.conf, then users cannot change their own passwords at all.
Please recommend how I can allow the users to change their own passwords and at the same time enforce OpenLDAP password policy.
Thank you,
Nodir

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1528676/+subscriptions