From cfb3fdb5ecd3969e069a5379a0de34839af6e626 Mon Sep 17 00:00:00 2001 From: Ionuț Arțăriși Date: Fri, 8 Feb 2013 17:35:19 +0100 Subject: allow unauthenticated connections to an LDAP server Fixes: bug 1119495 Change-Id: I13cdc212752f212ecf59a6a83f8f32c042ccf6e0 --- keystone/config.py | 16 +++++++++------- tests/test_backend_ldap.py | 16 ++++++++++++++++ 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/keystone/config.py b/keystone/config.py index 40af2fd6..a9de8b8b 100644 --- a/keystone/config.py +++ b/keystone/config.py @@ -148,13 +148,14 @@ register_int('max_token_size', default=8192) # identity register_str('default_domain_id', group='identity', default='default') -#ssl options +# ssl register_bool('enable', group='ssl', default=False) register_str('certfile', group='ssl', default=None) register_str('keyfile', group='ssl', default=None) register_str('ca_certs', group='ssl', default=None) register_bool('cert_required', group='ssl', default=False) -#signing options + +# signing register_str('token_format', group='signing', default="PKI") register_str('certfile', group='signing', @@ -168,7 +169,7 @@ register_int('valid_days', group='signing', default=3650) register_str('ca_password', group='signing', default=None) -# sql options +# sql register_str('connection', group='sql', default='sqlite:///keystone.db') register_int('idle_timeout', group='sql', default=200) @@ -187,10 +188,10 @@ register_str('driver', group='stats', default='keystone.contrib.stats.backends.kvs.Stats') -#ldap +# ldap register_str('url', group='ldap', default='ldap://localhost') -register_str('user', group='ldap', default='dc=Manager,dc=example,dc=com') -register_str('password', group='ldap', default='freeipa4all') +register_str('user', group='ldap', default=None) +register_str('password', group='ldap', default=None) register_str('suffix', group='ldap', default='cn=example,cn=com') register_bool('use_dumb_member', group='ldap', default=False) register_str('dumb_member', group='ldap', default='cn=dumb,dc=nonexistent') @@ -247,7 +248,8 @@ register_list('group_attribute_ignore', group='ldap', default='') register_bool('group_allow_create', group='ldap', default=True) register_bool('group_allow_update', group='ldap', default=True) register_bool('group_allow_delete', group='ldap', default=True) -#pam + +# pam register_str('url', group='pam', default=None) register_str('userid', group='pam', default=None) register_str('password', group='pam', default=None) diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py index f982e67b..3b6d1e13 100644 --- a/tests/test_backend_ldap.py +++ b/tests/test_backend_ldap.py @@ -396,6 +396,22 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): user_ref = self.identity_api.get_user('fake1') self.assertEqual(user_ref['enabled'], True) + def test_user_api_get_connection_no_user_password(self): + """Don't bind in case the user and password are blank""" + self.config([test.etcdir('keystone.conf.sample'), + test.testsdir('test_overrides.conf')]) + CONF.ldap.url = "fake://memory" + user_api = identity_ldap.UserApi(CONF) + self.stubs.Set(fakeldap, 'FakeLdap', + self.mox.CreateMock(fakeldap.FakeLdap)) + # we have to track all calls on 'conn' to make sure that + # conn.simple_bind_s is not called + conn = self.mox.CreateMockAnything() + conn = fakeldap.FakeLdap(CONF.ldap.url).AndReturn(conn) + self.mox.ReplayAll() + + user_api.get_connection(user=None, password=None) + # TODO (henry-nash) These need to be removed when the full LDAP implementation # is submitted - see BugL #1092187 def test_group_crud(self): -- cgit