Keystone Havana Authentication Error using samAccountName in Active Directory

I've discovered that other attributes work besides cn, including sn and gecos, but samAccountName doesn't work. This makes me think that it's got something to do with a schema definition somewhere, but I'm still digging around trying to find it. I'm running keystone havana on Ubuntu 12.04.4 LTS

I'd also be curious to know if this is still an issue in master -- a similar sounding issue was fixed awhile back, but perhaps not backported.

looks like I've got it working now. Turns out things are case sensitive, and the id attribute must be cn apparently. So:

user_id_attribute = cn
user_name_attribute = sAMAccountName

works. Note that I was using a different case - samAccountName - which is incorrect. sAMAccountName is correct. Now I can logon using my sAMAccountName even when it is different than the cn, which was my goal.

I guess this can be closed, though it might be good to document it somewhere.

FYI, I've got my whole Keystone/Active Directory configuration documented at http://behindtheracks.com/2013/08/openstack-active-directory-integration/

Fix proposed to branch: master
Review: https://review.openstack.org/74236

> it might be good to document it somewhere

Thanks, will do! I'm bookmarking your config as well.

I think we should look into this more to see if keystone is doing a case-insensitive compare of an attribute.

I've just done more testing, and I believe the case sensitivity is in python-ldap. This code demonstrates:

#!/usr/bin/env python
import ldap

server="ldap://mydomain.net"
user_dn="mydomain\myaccount"
user_pw="mypassword"

l = ldap.initialize(server)
l.bind_s(user_dn, user_pw)
base_dn = 'cn=Users,dc=mydomain,dc=net'
filter = '(&(objectclass=person)(sn=Seltzer))'
attrs = ['samaccountname']
results = l.search_s( base_dn, ldap.SCOPE_SUBTREE, filter, attrs )
for result in results:
 print result[1]
 print result[1]["samAccountName"][0]

the search itself is not case sensitive (the case used in the attrs doesn't matter), however the keyname in the result is indeed case sensitive so the last line throws a keyerror. However if I fix the case:

 print result[1]["sAMAccountName"][0]

then it works fine. So I think this behavior is baked into python-ldap...

I guess we could wrapper the results with a dict that does case-insensitive comparison.

That makes sense to me. If it was case-insensitive, my config would have worked the first time I think. Thanks for the attention!

The exact behavior is really a function of the LDAP server, as the server determines what case an attribute name is returned in. However the attribute name is returned is how python-ldap will use it in the dict. As an example, I did some tests with 389 Directory Server. If I don't explicitly ask for the attribute to return, it uses the attribute name as defined in the schema. If I do ask for the attribute to be returned, it is returned in the case that the client asked for it:

------------------------------------------------------
$ ldapsearch -x -D "cn=directory manager" -W -b "dc=example,dc=com" "sn=Kinder"
# nkinder, example.com
dn: uid=nkinder,dc=example,dc=com
cn: Nathan Kinder
...

$ ldapsearch -x -D "cn=directory manager" -W -b "dc=example,dc=com" "sn=Kinder" "cN"
# nkinder, example.com
dn: uid=nkinder,dc=example,dc=com
cN: Nathan Kinder

$ ldapsearch -x -D "cn=directory manager" -W -b "dc=example,dc=com" "sn=Kinder" "cn"
# nkinder, example.com
dn: uid=nkinder,dc=example,dc=com
cn: Nathan Kinder
------------------------------------------------------

Other LDAP servers may behave differently, such as returning the attribute name in the case that it is defined in the schema, regardless of how the client specifies the attribute name. Without knowing how a particular LDAP server implementation behaves, it's difficult to guess what case we should use when looking for an attribute in the dict. The only sure way to make this work is to do a case-insensitive comparison as suggested by Brant in comment#9.

Nathan, You are correct. I just tested against Active Directory, and the result came back with the case as defined in the schema, regardless of my input.

$ ldapsearch -x -D "cn=administrator,cn=users,dc=example,dc=com" -W -b "cn=users,dc=example,dc=com" -h 192.168.1.253 "cn=brian" "samaccountname"

# brian, Users, example.com
dn: CN=brian,CN=Users,DC=example,DC=com
sAMAccountName: brian

So yes, Active Directory appears to behave differently than 389 Directory Server, and Nate's case-insensitive compare suggestion would seem to be the right way to fix this.

Fix proposed to branch: master
Review: https://review.openstack.org/86486

Reviewed: https://review.openstack.org/86486
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7c104e13fce919dd2563f06ce31c059f145beb77
Submitter: Jenkins
Branch: master

commit 7c104e13fce919dd2563f06ce31c059f145beb77
Author: Nathan Kinder <email address hidden>
Date: Wed Apr 9 18:24:21 2014 -0700

    Treat LDAP attribute names as case-insensitive

    LDAP attribute names are case-insensitive, and different LDAP
    server implementations behave differently when returning search
    results. Keystone attempts to use the attribute names as defined
    in the mapping configuration when checking for values in the dict
    that represents the search results. If the case doesn't match,
    we won't find the values which can lead to errors.

    This patch converts the dictionary keys to lowercase to allow us
    to perform a case-insensitive lookup when processing LDAP search
    results. When we create the model object, we still use the
    attribute name case as defined in the mapping to allow predictable
    lookups when we process the model object later.

    Change-Id: Ib9a03b912bc7652dc6a61b1c97a950e263a9c6fa
    Closes-bug: 1281216

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/89898

Reviewed: https://review.openstack.org/89898
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1716748df15443f1141f69ea620c4bc33758433d
Submitter: Jenkins
Branch: stable/icehouse

commit 1716748df15443f1141f69ea620c4bc33758433d
Author: Nathan Kinder <email address hidden>
Date: Wed Apr 9 18:24:21 2014 -0700

    Treat LDAP attribute names as case-insensitive

    LDAP attribute names are case-insensitive, and different LDAP
    server implementations behave differently when returning search
    results. Keystone attempts to use the attribute names as defined
    in the mapping configuration when checking for values in the dict
    that represents the search results. If the case doesn't match,
    we won't find the values which can lead to errors.

    This patch converts the dictionary keys to lowercase to allow us
    to perform a case-insensitive lookup when processing LDAP search
    results. When we create the model object, we still use the
    attribute name case as defined in the mapping to allow predictable
    lookups when we process the model object later.

    Change-Id: Ib9a03b912bc7652dc6a61b1c97a950e263a9c6fa
    Closes-bug: 1281216
    (cherry picked from commit 7c104e13fce919dd2563f06ce31c059f145beb77)