← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #96640

[Bug 2121152] Re: ldap identity backend 'enabled' setting not interpreted as boolean

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/c/openstack/keystone/+/958205
Committed: https://opendev.org/openstack/keystone/commit/98e3e6bd847e94d856f3bac7eb23d1b3e9d4f89b
Submitter: "Zuul (22348)"
Branch:    master

commit 98e3e6bd847e94d856f3bac7eb23d1b3e9d4f89b
Author: Benedikt Trefzer <benedikt.trefzer@xxxxxxxxxx>
Date:   Thu Aug 21 16:11:12 2025 +0200

    fix ldap 'enabled' setting not interpreted as boolean
    
    interpretation of the ldap enabled attribute as boolean
    is only done if enabled_invert setting is set to true.
    
    Closes-Bug: #2121152
    Change-Id: I7260bf46adf003aef7c7ac0d436c3758f658cb0c
    Signed-off-by: Benedikt Trefzer <benedikt.trefzer@xxxxxxxxxx>


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2121152

Title:
  ldap identity backend 'enabled' setting not interpreted as boolean

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Using ldap keystone identity backend shows enabled=True for ALL users
  although some of them should be disabled.

  Changing the keystone setting 'ldap/user_enabled_invert' to True,
  keystone finds correctly enabled and disabled users (despite that
  enabled users are disabled and vice versa ;)).

  Ldap keystone settings used:
  user_enabled_attribute = IsActive
  user_enabled_invert = false         (unchanged default)
  user_enabled_mask = 0               (unchanged default)
  user_enabled_default = True         (unchanged default)
  user_enabled_emulation = false      (unchanged default)

  Ldap definition of attribute IsActive:
  attributetype ( AttributeType:44
     NAME 'IsActive'
     DESC 'Is the entry active? Either yes (TRUE) or no (FALSE).'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
     SINGLE-VALUE )

  Additional information: 
  Problem seems to be in the function _ldap_res_to_model (file identity/backends/ldap/core.py) that a string to boolean convertion is done only if inverting is enabled.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2121152/+subscriptions

References

  Thread PreviousDate PreviousThread Next