Ask Your Question
0

Revoke tokens for user disabled in LDAP

asked 2014-03-20 14:00:37 -0500

Ruslan Kiianchuk gravatar image

If Keystone is set up with LDAP back-end and does not have write access to it, is there a way to invalidate tokens upon user lock/deletion in LDAP? From my observation all operations that would cause existing user tokens to be revoked require write rights to LDAP back-end.

Is there any existing solution?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-03-20 20:15:16 -0500

updated 2014-03-20 20:15:40 -0500

Why do you think token revokation requires LDAP write privllages?  Tokens don't use LDAP. If you detect user/lock deletion  then you need to get the tokens issued for the user and  delete it.

Look at this file , line no 210 for the method delete_tokens_for_user

https://github.com/openstack/keystone/blob/master/keystone/token/core.py
edit flag offensive delete link more

Comments

I never said token revocation requires LDAP write privileges. The goal is to revoke tokens once user gets locked in LDAP. However if having write access to LDAP, it's possible to perform some actions that would cause tokens to be automatically revoked (like delete role Member).

Ruslan Kiianchuk gravatar imageRuslan Kiianchuk ( 2014-03-31 00:23:38 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-03-20 14:00:37 -0500

Seen: 147 times

Last updated: Mar 20 '14