[Bug 997700] Related fix proposed to keystone (master)
OpenStack Infra
997700 at bugs.launchpad.net
Wed Feb 10 23:25:16 UTC 2016
Related fix proposed to branch: master
Review: https://review.openstack.org/278791
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/997700
Title:
LDAP should not check username on "sn" field
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) essex series:
Fix Released
Status in keystone package in Ubuntu:
Fix Released
Status in keystone source package in Precise:
Fix Released
Bug description:
The ldap backend is hardcoded to only check the entered username
against the "sn" attribute type. In general, this is a misuse of the
"sn" attribute, which refers to SurName, but the fact that this is
hardcoded is more troublesome, as the username field may take on
different attribute types in various LDAP implementations. Most widely
used would be "cn", or CommonName, which generally maps to a username.
Most LDAP implementations allow the name of the field on which the
query is done to be specified in a config file. Indeed, there are many
options in the keystone config relating to LDAP fields, but this is
not one of them.
See:
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L251
The quick fix is to make this "cn" instead of "sn", the better fix
would be to make this an option in the config.
I imaging this would make ldap auth fail for the majority of people -
everyone who doesn't have their username the same as their lastname.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/997700/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list