Revoke tokens for user disabled in LDAP

asked 2014-03-20 14:00:37 -0600

Ruslan Kiianchuk gravatar image

If Keystone is set up with LDAP back-end and does not have write access to it, is there a way to invalidate tokens upon user lock/deletion in LDAP? From my observation all operations that would cause existing user tokens to be revoked require write rights to LDAP back-end.

Is there any existing solution?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-03-20 20:15:16 -0600

updated 2014-03-20 20:15:40 -0600

Why do you think token revokation requires LDAP write privllages?  Tokens don't use LDAP. If you detect user/lock deletion  then you need to get the tokens issued for the user and  delete it.

Look at this file , line no 210 for the method delete_tokens_for_user
edit flag offensive delete link more


I never said token revocation requires LDAP write privileges. The goal is to revoke tokens once user gets locked in LDAP. However if having write access to LDAP, it's possible to perform some actions that would cause tokens to be automatically revoked (like delete role Member).

Ruslan Kiianchuk gravatar imageRuslan Kiianchuk ( 2014-03-31 00:23:38 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-03-20 14:00:37 -0600

Seen: 171 times

Last updated: Mar 20 '14