yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1649138] Re: Initial LDAP bind occurs inconsistently depending on deployment configuration

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1649138@xxxxxxxxxxxxxxxxxx>
Date: Thu, 12 Jan 2017 15:01:57 -0000
Reply-to: Bug 1649138 <1649138@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/407561
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f8ee249bf08cefd8468aa15c589dab48bd5c4cd8
Submitter: Jenkins
Branch:    master

commit f8ee249bf08cefd8468aa15c589dab48bd5c4cd8
Author: Colleen Murphy <colleen@xxxxxxxxxxx>
Date:   Tue Dec 6 15:40:02 2016 +0100

    Add anonymous bind to get_connection method
    
    If no username and password is specified in the keystone ldap
    configuration, it may still be possible to bind to an LDAP server
    anonymously if the LDAP server is configured to allow it. Currently,
    upon creating a connection object, keystone only attempts to bind to
    the LDAP server if a username and password has been provided to it.
    This would rarely be an issue because pyldap attempts a reconnect upon
    executing any ldap command, if necessary, and hence the anonymous bind
    just happens later. It is a problem now because logic was added[1] to
    check if the server errored during that initial connection, and for it
    to work correctly the initial connection needs to happen in a
    predictable place. This patch adds an anonymous bind to the
    get_connection method so that no matter the credential configuration
    the initial connection is consistent.
    
    This required adding mocks to many of the LDAP backend tests since
    every LDAP interaction now attempts a simple_bind_s() regardless of
    whether credentials are configured in keystone.
    
    [1] https://review.openstack.org/#/c/390948
    
    Closes-bug: #1649138
    
    Change-Id: I193c9537c107092e48f7ea1d25ff9c17f872c15b


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1649138

Title:
  Initial LDAP bind occurs inconsistently depending on deployment
  configuration

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Some operators configure their LDAP identity backends to allow
  anonymous binds for access to read-only information. This is a valid
  configuration within keystone, as keystone does not require LDAP
  credentials to be set in its config. Currently, if keystone is given
  LDAP credentials, it will attempt an initial authenticated bind at the
  same time that it creates a connection object[1]. If keystone does not
  have LDAP credentials, the first time it attempts to bind to the LDAP
  server will be upon the first time it executes a query, because pyldap
  will automatically attempt a "reconnect[2] if necessary, so there's
  not normally any problem. The only reason this would be a problem
  would be if we were trying to do some connection validation, which
  arose in a recent review[3]. In order to validate the connection, the
  first connection needs to happen in a predictable place regardless of
  the method of binding.

  [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/common.py?h=11.0.0.0b1#n1286
  [2] https://github.com/pyldap/pyldap/blob/pyldap-2.4.25.1/Lib/ldap/ldapobject.py#L1069
  [3] https://review.openstack.org/#/c/390948/

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1649138/+subscriptions

References

[Bug 1649138] [NEW] Initial LDAP bind occurs inconsistently depending on deployment configuration
From: Colleen Murphy, 2016-12-11