In OpenStack Keystone versions prior to 28.0.1, the LDAP identity backend mishandles the user enabled attribute due to improper type conversion. Specifically, when the user_enabled_invert configuration option is False (default), the _ldap_res_to_model method in the UserApi class does not convert the LDAP user enabled attribute from a string to a boolean. Because non-empty strings are truthy in Python, users disabled in LDAP (e.g., with the string "FALSE") are incorrectly treated as enabled, allowing unauthorized authentication and action execution. This is classified as a CWE-843 (Access of Resource Using Incompatible Type) vulnerability. Affected versions include 8.0.0, 26.0.0, 27.0.0, and 28.0.0.

Users who are marked as disabled in the LDAP directory can bypass this restriction and authenticate successfully in Keystone, potentially gaining unauthorized access and performing actions they should not be allowed to. This compromises the integrity and access control of the affected OpenStack Keystone deployments. The CVSS score of 7.7 (high) reflects the network attack vector, high impact on availability, and low complexity but requiring low privileges and no user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, affected deployments should consider setting the user_enabled_invert configuration option to True or enabling user_enabled_emulation as a temporary workaround to ensure proper boolean conversion of the user enabled attribute. Monitor OpenStack Keystone vendor advisories for updates and official patches.