Length of user_name in database too short for X.509 DNs

Bug #1081932 reported by Alvaro Lopez on 2012-11-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
Morgan Fainberg

Bug Description

We are using the REMOTE_AUTH authentication with X.509 certificates, setting the username to the user certificate's DN. However, the name column in the SQL backend is limited to 64 characters, but the certificate DN can be longer than that so we are unable to add some of our users.

Adam Young (ayoung) wrote :

An example one, a bit on the long side is

dn="DN=macgregor,cn=PUBLICTEST09,cn=FEDORAPROJECT,cn=ORG"

In [2]: len(dn)
Out[2]: 52

How long do you need them to be?

Changed in keystone:
assignee: nobody → Adam Young (ayoung)
summary: - Lenght of user's name in database might be too short
+ Length of user_name in database too short for X.509 DNs
Alvaro Lopez (aloga) wrote :

Hi,

some real examples of DNs really really long (personal details are removed):

/C=IT/O=INFN/OU=Personal Certificate/L=University of Perugia Dept Maths and CompSci/CN=XXXXXXXXXXXXXXXXXXXXX
/DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=users/C=CH/O=Paul-Scherrer-Institut (PSI)/CN=XXXXXXXXXXXXXXXX
/DC=org/DC=terena/DC=tcs/C=NL/O=Stichting Academisch Rekencentrum Amsterdam/CN=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
/DC=ORG/DC=SEE-GRID/O=People/O=Georgian Research and Educational Networking Association/CN=XXXXXXXXXXXXXXXXXXXX

Adam Young (ayoung) on 2012-12-04
Changed in keystone:
status: New → Confirmed

Fix proposed to branch: master
Review: https://review.openstack.org/22694

Changed in keystone:
assignee: Adam Young (ayoung) → Alvaro Lopez (aloga)
status: Confirmed → In Progress
Dolph Mathews (dolph) wrote :

Patch appears to be abandoned.

Changed in keystone:
importance: Undecided → Low
status: In Progress → Confirmed
assignee: Alvaro Lopez (aloga) → nobody
Alvaro Lopez (aloga) wrote :

@Dolhp, sorry, the patch should be still valid but I was overhelmed by other work and couldn't have a look at this.

Changed in keystone:
assignee: nobody → Alvaro Lopez (aloga)
status: Confirmed → In Progress
Changed in keystone:
assignee: Alvaro Lopez (aloga) → Morgan Fainberg (mdrnstm)

Reviewed: https://review.openstack.org/22694
Committed: http://github.com/openstack/keystone/commit/8d6055ede4131a5ab7829561123798fd3807cc34
Submitter: Jenkins
Branch: master

commit 8d6055ede4131a5ab7829561123798fd3807cc34
Author: Alvaro Lopez Garcia <email address hidden>
Date: Tue Dec 18 15:56:20 2012 +0100

    Increase length of username in DB

    Length of username in database may be too short for X.509 DNs and 255
    seems a sane value for it.

    Fixes bug #1081932

    Change-Id: Ie8f696845ea15d37cf13f3fe7978b22deac798b0

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-09-05
Changed in keystone:
milestone: none → havana-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-3 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers