Andrewbogott

**Name of the Vulnerable Software and Affected Versions** OpenStack Keystone versions prior to 28.0.1 **Description** The LDAP identity backend fails to convert the user enabled attribute to a boolean value when the `user enabled invert` configuration option is set to False. Specifically, the ` ldap res to model()` function in the `UserApi` class only performs string-to-boolean conversion when `user enabled invert` is True. When False, the raw string value from LDAP is used. Because non-empty strings are considered truthy in Python, users marked as disabled in LDAP are treated as enabled, allowing them to authenticate and perform actions. This affects deployments using the LDAP identity backend without `user enabled invert=True` or `user enabled emulation`. **Recommendations** Update to version 28.0.1 or later. As a temporary workaround, set the `user enabled invert` configuration option to True or enable `user enabled emulation`.