ldap _get_enabled is returning entire groupOfNames object for enabled_users and enabled_tenants
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Justin Shepherd |
Bug Description
If you have 500 users in a tenant, the enabled_users check will return a groupOfNames object with 500 user CNs in it.
example ldapsearch: ldapsearch -x -D "cn=admin,
***** OUTPUT *****
# extended LDIF
#
# LDAPv3
# base <cn=enabled_
# filter: member=
# requesting: ALL
#
# enabled_users, Users, example.com
dn: cn=enabled_
objectClass: groupOfNames
member: cn=dumb,
member: cn=2c0c7a0ad381
member: cn=6ac4f3701ba1
member: cn=297b9d63b5fa
member: cn=fbe7ecef7bf6
member: cn=2fa87b703eba
member: cn=079b66e2f494
member: cn=e0c53180c6c3
member: cn=a7e152918f8c
member: cn=3278c2b961a5
member: cn=ea70ba972c33
member: cn=f18cb5cbb620
member: cn=229366aa6ba3
member: cn=efe4b41cac28
member: cn=1f023c493f12
member: cn=a51ce49edc12
member: cn=07d324f7b86d
***** SNIP *****
member: cn=07d6df2e33bf
member: cn=c238bf336bc6
member: cn=12c01d4381e7
cn: enabled_users
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
The return size increases with the number of users in the tenant (e.g. 1000 users will return 1000+ rows)
The ldap query should supply an Attribute List of CN instead of returning the entire list.
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → High |
milestone: | none → havana-rc1 |
Changed in keystone: | |
milestone: | havana-rc1 → havana-3 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | havana-3 → 2013.2 |
Fix proposed to branch: master /review. openstack. org/44117
Review: https:/