[Openstack-security] All LDAP users returned using keystone v3/users API
Anna A Sortland
annasort at us.ibm.com
Fri Mar 7 20:03:22 UTC 2014
The current keystone LDAP community driver returns all users that exist in
LDAP via the API call v3/users, instead of returning just users that have
role grants (similar processing is true for groups). This could
potentially be a very large number of users. We have seen large companies
with LDAP servers containing hundreds and thousands of users. We are aware
of the filters available in keystone.conf ([ldap].user_filter and
[ldap].query_scope) to cut down on the number of results, but they do not
provide sufficient filtering (for example, it is not possible to set
user_filter to members of certain known groups for OpenLDAP without
creating a memberOf overlay on the LDAP server).
What was the reason the LDAP driver was written this way, instead of
returning just the users that have OpenStack-known roles? Was the creation
of a separate API for this function considered?
Are other exploiters of OpenStack (or users of Horizon) experiencing this
issue? If so, what was their approach to overcome this issue? We have been
prototyping a keystone extension that provides an API that provides this
filtering capability, but it seems like a function that should be
generally available in keystone.
Anna Sortland
Cloud Systems Software Development
IBM Rochester, MN
annasort at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140307/ce622949/attachment.html>
More information about the Openstack-security
mailing list