OpenStack Identity (keystone)

ldap _get_enabled is returning entire groupOfNames object for enabled_users and enabled_tenants

Bug #1217447 reported by Justin Shepherd
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Justin Shepherd
OpenStack Identity (keystone) 2013.2 "havana"

Bug Description

If you have 500 users in a tenant, the enabled_users check will return a groupOfNames object with 500 user CNs in it.

example ldapsearch: ldapsearch -x -D "cn=admin,dc=example,dc=com" -wpassword -b "cn=enabled_users,ou=Users,dc=example,dc=com" "member=cn=6ac4f3701ba144888669b7f9026eb456,ou=Users,dc=example,dc=com" -s base

***** OUTPUT *****
# extended LDIF
#
# LDAPv3
# base <cn=enabled_users,ou=Users,dc=rcb,dc=me> with scope baseObject
# filter: member=cn=6ac4f3701ba144888669b7f9026eb456,ou=Users,dc=rcb,dc=me
# requesting: ALL
#

# enabled_users, Users, example.com
dn: cn=enabled_users,ou=Users,dc=example,dc=com
objectClass: groupOfNames
member: cn=dumb,dc=nonexistent
member: cn=2c0c7a0ad381465e87faea4209780b93,ou=Users,dc=example,dc=com
member: cn=6ac4f3701ba144888669b7f9026eb456,ou=Users,dc=example,dc=com
member: cn=297b9d63b5fa4dcea1f33a21d732d357,ou=Users,dc=example,dc=com
member: cn=fbe7ecef7bf64631943aed243c8a8740,ou=Users,dc=example,dc=com
member: cn=2fa87b703eba4d118e8cecd7a9398a59,ou=Users,dc=example,dc=com
member: cn=079b66e2f49449279e62057f94d0f370,ou=Users,dc=example,dc=com
member: cn=e0c53180c6c344bc806ba558009258cf,ou=Users,dc=example,dc=com
member: cn=a7e152918f8c42d18023abb147b129a6,ou=Users,dc=example,dc=com
member: cn=3278c2b961a547edb7496f023f73eee5,ou=Users,dc=example,dc=com
member: cn=ea70ba972c334fe39210a35ede37a1ab,ou=Users,dc=example,dc=com
member: cn=f18cb5cbb6204f44853348abeef8dd9d,ou=Users,dc=example,dc=com
member: cn=229366aa6ba3444f9bd8392342be81ab,ou=Users,dc=example,dc=com
member: cn=efe4b41cac284a99a0cf4e0164e29ded,ou=Users,dc=example,dc=com
member: cn=1f023c493f1241bb9fe02181f134fe13,ou=Users,dc=example,dc=com
member: cn=a51ce49edc124096ba6dcb88b8ae518d,ou=Users,dc=example,dc=com
member: cn=07d324f7b86d4fc39572a574953bc4a3,ou=Users,dc=example,dc=com
***** SNIP *****
member: cn=07d6df2e33bf4dafa93ef30a3b77d97f,ou=Users,dc=example,dc=com
member: cn=c238bf336bc6466db5e92bb9ae68dcde,ou=Users,dc=example,dc=com
member: cn=12c01d4381e74721b1c46a84b3e56b5a,ou=Users,dc=example,dc=com
cn: enabled_users

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

The return size increases with the number of users in the tenant (e.g. 1000 users will return 1000+ rows)

The ldap query should supply an Attribute List of CN instead of returning the entire list.

Dolph Mathews (dolph)
Changed in keystone:
status: New → Confirmed
importance: Undecided → High
milestone: none → havana-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/44117

Changed in keystone:
assignee: nobody → Justin Shepherd (jshepher)
status: Confirmed → In Progress
Dolph Mathews (dolph)
Changed in keystone:
milestone: havana-rc1 → havana-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/44117
Committed: http://github.com/openstack/keystone/commit/4a7199b4a6dcf7c6b5c38c43d2bbff1533b6df28
Submitter: Jenkins
Branch: master

commit 4a7199b4a6dcf7c6b5c38c43d2bbff1533b6df28
Author: galstrom21 <email address hidden>
Date: Wed Aug 28 13:12:34 2013 -0500

    Add 'cn' to attribute_list for enabled_users/tenants query

    Fixes Bug: 1217447

    Change-Id: I712b2fccc08d48487515491684ef8e6c9a91ee0a

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-3 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.