Keystone LDAP integration is is undefined for LDAP Referral Records

Solution Unverified - Updated -


  • Keystone LDAP integration does not cleanly handle LDAP Referral records. If a referral record is returned by the LDAP server then python encounters a type mismatch when it gets a string (the referral URL) where it is expecting an attribute array. Keystone should either handle referrals correctly or set the protocol option LDAP_OPT_REFERRALS to 0 when performing a BIND operation. In either case, Keystone should verify the type of the return record before attempting to decode it.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In