OpenStack Identity (keystone)

BaseLDAP builds tree_dn backwards

Bug #980209 reported by Adam Young on 2012-04-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Unassigned	OpenStack Identity (keystone) 2012.2 "folsom"

Bug Description

If the configuration file specifies only the suffix, the code to build the base DN prepends the suffix instead of appending it, so the DN looks like

cn=example,cn=com,ou=Users

instead of

ou=Users,cn=example,cn=com

Revision history for this message

Adam Young (ayoung) wrote on 2012-04-12:

The fix is
[ayoung@ayoung ldap]$ git show
commit f9238e29a3e83989b98dde62597156aafa1e68a0
Author: Adam Young <email address hidden>
Date: Thu Apr 12 15:19:54 2012 -0400

Correct Tree DN

diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py
index 72647c2..43a33d7 100644
--- a/keystone/common/ldap/core.py
+++ b/keystone/common/ldap/core.py
@@ -83,7 +83,7 @@ class BaseLdap(object):
                 self.suffix = self.DEFAULT_SUFFIX
             dn = '%s_tree_dn' % self.options_name
             self.tree_dn = (getattr(conf.ldap, dn)
- or '%s,%s' % (self.suffix, self.DEFAULT_OU))
+ or '%s,%s' % (self.DEFAULT_OU, self.suffix))

idatt = '%s_id_attribute' % self.options_name
self.id_attr = getattr(conf.ldap, idatt) or self.DEFAULT_ID_ATTR

Revision history for this message

Adam Young (ayoung) wrote on 2012-04-12:

Until patch is applied, the work-around is to specify

user_tree_dn = ou=Users,cn=example,cn=com
tenant_tree_dn = ou=Tenants,cn=example,cn=com
role_tree_dn = ou=Roles,cn=example,cn=com

in keystone.conf

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-04-12: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/6504

Changed in keystone:
status:	New → In Progress

Renier Morales (renier-h) on 2012-06-07

Changed in keystone:
status:	In Progress → Confirmed

Renier Morales (renier-h) on 2012-06-07

Changed in keystone:
status:	Confirmed → In Progress
status:	In Progress → Confirmed

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-06-07:

Fix should be re-proposed

Joseph Heck (heckj) on 2012-06-07

Changed in keystone:
importance:	Undecided → Low

OpenStack Infra (hudson-openstack) on 2012-06-30

Changed in keystone:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-07-03: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/6504
Committed: http://github.com/openstack/keystone/commit/58105d8f5637109ea1f68c94cf8f120399d54dea
Submitter: Jenkins
Branch: master

commit 58105d8f5637109ea1f68c94cf8f120399d54dea
Author: Adam Young <email address hidden>
Date: Wed Jun 27 18:20:16 2012 -0400

Correct Tree DN

    instead of
        cn=example,cn=com,ou=Users
    code now generates
        ou=Users,cn=example,cn=com

Getting stricter in testing and adding some regression testing

Fixes Bug 980209

Change-Id: Ib97e6cb00848ea183c7e1f2b2589b25924a08caa

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-07-04

Changed in keystone:
milestone:	none → folsom-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-09-27

Changed in keystone:
milestone:	folsom-2 → 2012.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.