yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2121152] [NEW] ldap identity backend 'enabled' setting not interpreted as boolean

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Benedikt Trefzer <2121152@xxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Aug 2025 14:03:02 -0000
Reply-to: Bug 2121152 <2121152@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Using ldap keystone identity backend shows enabled=True for ALL users
although some of them should be disabled.

Changing the keystone setting 'ldap/user_enabled_invert' to True,
keystone finds correctly enabled and disabled users (despite that
enabled users are disabled and vice versa ;)).

Ldap keystone settings used:
user_enabled_attribute = IsActive
user_enabled_invert = false         (unchanged default)
user_enabled_mask = 0               (unchanged default)
user_enabled_default = True         (unchanged default)
user_enabled_emulation = false      (unchanged default)

Ldap definition of attribute IsActive:
attributetype ( AttributeType:44
   NAME 'IsActive'
   DESC 'Is the entry active? Either yes (TRUE) or no (FALSE).'
   EQUALITY booleanMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
   SINGLE-VALUE )

Additional information: 
Problem seems to be in the function _ldap_res_to_model (file identity/backends/ldap/core.py) that a string to boolean convertion is done only if inverting is enabled.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2121152

Title:
  ldap identity backend 'enabled' setting not interpreted as boolean

Status in OpenStack Identity (keystone):
  New

Bug description:
  Using ldap keystone identity backend shows enabled=True for ALL users
  although some of them should be disabled.

  Changing the keystone setting 'ldap/user_enabled_invert' to True,
  keystone finds correctly enabled and disabled users (despite that
  enabled users are disabled and vice versa ;)).

  Ldap keystone settings used:
  user_enabled_attribute = IsActive
  user_enabled_invert = false         (unchanged default)
  user_enabled_mask = 0               (unchanged default)
  user_enabled_default = True         (unchanged default)
  user_enabled_emulation = false      (unchanged default)

  Ldap definition of attribute IsActive:
  attributetype ( AttributeType:44
     NAME 'IsActive'
     DESC 'Is the entry active? Either yes (TRUE) or no (FALSE).'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
     SINGLE-VALUE )

  Additional information: 
  Problem seems to be in the function _ldap_res_to_model (file identity/backends/ldap/core.py) that a string to boolean convertion is done only if inverting is enabled.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2121152/+subscriptions