ldap dereferencing is broken in the ldap backend
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Allan Feid |
Bug Description
Today I attempted to configure the LDAP backend with my existing schema. I wanted to accomplish a scenario where the keystone client can still manage roles/tenants/
dn: ou=openstack,
objectclass: top
objectclass: organizationalUnit
ou: openstack
dn: ou=users,
objectclass: top
objectclass: organizationalUnit
ou: users
dn: ou=roles,
objectclass: top
objectclass: organizationalUnit
ou: roles
dn: ou=tenants,
objectclass: top
objectclass: organizationalUnit
ou: tenants
dn: ou=posix_
objectclass: alias
objectclass: extensibleObject
aliasedobjectname: ou=People,
In this case a simple subtree query with dereferencing set to always or search for objectclass=
$ ldapsearch -a search -ZZxD 'cn=Manager,
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=openstack,
# filter: (&(uid=
# requesting: ALL
#
# afeid, People, example.net
dn: uid=afeid,
objectClass: posixAccount
objectClass: inetOrgPerson
uid: afeid
gidNumber: 10000
uidNumber: 10031
homeDirectory: /home/afeid
loginShell: /bin/bash
..etc..
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
That is great, but upon investigation of the core/identity ldap code in the master branch of keystone, it becomes obvious that there are a lot of assumtions about what the DN of a user should look like (as is necessary). I managed to get dereferences working with a simple:
self.conn.
But after successfully finding a valid user via UserApi.
I'd love to get my schema working since it provides the ability to give openstack its own bind dn that is limited to a subset of my full tree while still working with an externally managed master user tree. I can help contribute, but am unsure how to proceed since I don't know how to pass the results from the UserApi.get_by_name method to the Identity.
tags: | added: blueprint |
tags: | added: low-hanging-fruit |
tags: |
added: grizzly-rc-potential removed: blueprint |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in keystone: | |
assignee: | Allan Feid (crayz) → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Allan Feid (crayz) |
Changed in keystone: | |
milestone: | none → grizzly-rc1 |
Changed in keystone: | |
milestone: | grizzly-rc1 → 2013.1 |
After further investigation and confusing myself going back and forth between Folsom/Grizzly based code, it turns out the user_dn problem is solved in master. The only thing necessary is to add a dereference option, which I have a working branch locally for. I will submit it for code review.