diff options
| author | Allan Feid <allanfeid@gmail.com> | 2013-03-11 23:11:52 -0400 |
|---|---|---|
| committer | Allan Feid <allanfeid@gmail.com> | 2013-03-21 10:00:07 -0400 |
| commit | aa6c01a062b00516c9d26f3e23bd04b1075c4e2f (patch) | |
| tree | 7f7c2aeb1e8f7d9e5bf31af951a103f2cf95b6f5 /keystone | |
| parent | aa58233bd8ba174e07076444b0dc5fdb67f5a5e6 (diff) | |
Add a dereference option for ldap
This allows proper dereferencing of aliased objects in an LDAP tree.
Fixes Bug #1153786
Change-Id: Ia09a99b7bca1ab055eb0c6dfa34138beca15bff0
Diffstat (limited to 'keystone')
| -rw-r--r-- | keystone/common/config.py | 1 | ||||
| -rw-r--r-- | keystone/common/ldap/core.py | 21 |
2 files changed, 20 insertions, 2 deletions
diff --git a/keystone/common/config.py b/keystone/common/config.py index e60385cc..2fd20b99 100644 --- a/keystone/common/config.py +++ b/keystone/common/config.py @@ -268,6 +268,7 @@ def configure(): register_bool('allow_subtree_delete', group='ldap', default=False) register_str('query_scope', group='ldap', default='one') register_int('page_size', group='ldap', default=0) + register_str('alias_dereferencing', group='ldap', default='default') register_str('user_tree_dn', group='ldap', default=None) register_str('user_filter', group='ldap', default=None) diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py index 865c90e7..b06f2277 100644 --- a/keystone/common/ldap/core.py +++ b/keystone/common/ldap/core.py @@ -29,6 +29,11 @@ LDAP_VALUES = {'TRUE': True, 'FALSE': False} CONTROL_TREEDELETE = '1.2.840.113556.1.4.805' LDAP_SCOPES = {'one': ldap.SCOPE_ONELEVEL, 'sub': ldap.SCOPE_SUBTREE} +LDAP_DEREF = {'always': ldap.DEREF_ALWAYS, + 'default': None, + 'finding': ldap.DEREF_FINDING, + 'never': ldap.DEREF_NEVER, + 'searching': ldap.DEREF_SEARCHING} def py2ldap(val): @@ -62,6 +67,14 @@ def safe_iter(attrs): yield attrs +def parse_deref(opt): + try: + return LDAP_DEREF[opt] + except KeyError: + raise ValueError((_('Invalid LDAP deref option: %s. Choose one of: ') % + opt) + ', '.join(LDAP_DEREF.keys())) + + def ldap_scope(scope): try: return LDAP_SCOPES[scope] @@ -91,6 +104,7 @@ class BaseLdap(object): self.LDAP_USER = conf.ldap.user self.LDAP_PASSWORD = conf.ldap.password self.LDAP_SCOPE = ldap_scope(conf.ldap.query_scope) + self.alias_dereferencing = parse_deref(conf.ldap.alias_dereferencing) self.page_size = conf.ldap.page_size if self.options_name is not None: @@ -142,7 +156,8 @@ class BaseLdap(object): conn = fakeldap.FakeLdap(self.LDAP_URL) else: conn = LdapWrapper(self.LDAP_URL, - self.page_size) + self.page_size, + alias_dereferencing=self.alias_dereferencing) if user is None: user = self.LDAP_USER @@ -348,9 +363,11 @@ class BaseLdap(object): class LdapWrapper(object): - def __init__(self, url, page_size): + def __init__(self, url, page_size, alias_dereferencing=None): LOG.debug(_("LDAP init: url=%s"), url) self.conn = ldap.initialize(url) + if alias_dereferencing is not None: + self.conn.set_option(ldap.OPT_DEREF, alias_dereferencing) self.page_size = page_size def simple_bind_s(self, user, password): |