Bug 1305998
Summary: | The deletion of an LDAP domain in keystone when write enabled should not clear the LDAP database | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Dan Lavu <dlavu> |
Component: | openstack-keystone | Assignee: | Adam Young <ayoung> |
Status: | CLOSED WONTFIX | QA Contact: | nlevinki <nlevinki> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 (Kilo) | CC: | jdennis, nkinder, srevivo |
Target Milestone: | --- | Keywords: | ZStream |
Target Release: | 8.0 (Liberty) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-09-30 02:39:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dan Lavu
2016-02-09 19:15:17 UTC
Latest 2 releases (8 and 9) have removed write support for the LDAP driver. Suggest we do the same. In the case of what you have above, the Keystone server was allowed to write to the LDAP server, which should not be the case. We should not be running with the values of: user_allow_create=true user_allow_update=true user_allow_delete=true As that indicates to the User that the Keystone server is in control of the LDAP instance (not a good design). To provide an addtiona; guard against it, the LDAP user that performs queries against LDAP should not have write access to the database. |