I think I found a problem in extra attributes handling in LDAP backend.
Also I'd like to propose a solution :)
There is a bug https://bugs.launchpad.net/keystone/+bug/1336769
"LDAP additional attribute mappings do not care about model attribute"
reported by Marcos Lobo (https://launchpad.net/~marcos-fermin-lobo)
It describes a problem when server handles requests without any warning
about model data mismatches.
First of all I've noticed that all is about optional attributes and it
seems to be okay to handle them as I see fit. But in the end Marcos
"I have a mistake in the keystone.conf file and everything is working
This got my attention and I've decided to check field mappings, model
validations CRUD and anything available in that direction.
I found nothing about model validation. Really, there is no means to be
sure you received valid data from LDAP backend.
completely ignores extra fields mapping while translating received from
LDAP server data to model structure.
Tests correctly cover only create operation, checking model to ldap
But test for retrieval only covers case when "description" mapped to
Test passes not because extra mapping works but due to the default
behaviour of generic mapping: if mapping not found pass the field as is.
I added required attribute validation to keystone.common.models.Model,
but applying it resulted in many test failures.
Further analysis revealed that there are some algorythms depending on
behaviour such as saving/retrieving model instanses without some fields
declared in a model as required.
So I had to fall back to warning instead of raising validation error.
Patch awaits review and I'm in doubt: is there a single bug, or it has
to be split.
35b/3, Vorontsovskaya St., 109147, Moscow, Russia
Tel.: +7 (495) 640-49-04
Tel.: +7 (926) 204-50-60