f8ee249bf0
If no username and password is specified in the keystone ldap configuration, it may still be possible to bind to an LDAP server anonymously if the LDAP server is configured to allow it. Currently, upon creating a connection object, keystone only attempts to bind to the LDAP server if a username and password has been provided to it. This would rarely be an issue because pyldap attempts a reconnect upon executing any ldap command, if necessary, and hence the anonymous bind just happens later. It is a problem now because logic was added[1] to check if the server errored during that initial connection, and for it to work correctly the initial connection needs to happen in a predictable place. This patch adds an anonymous bind to the get_connection method so that no matter the credential configuration the initial connection is consistent. This required adding mocks to many of the LDAP backend tests since every LDAP interaction now attempts a simple_bind_s() regardless of whether credentials are configured in keystone. [1] https://review.openstack.org/#/c/390948 Closes-bug: #1649138 Change-Id: I193c9537c107092e48f7ea1d25ff9c17f872c15b |
||
|---|---|---|
| .. | ||
| notes | ||
| source | ||