OpenStack Identity (keystone)

LDAP identity still allows setting domain via attribute

Bug #1209440 reported by Jamie Lennox
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Morgan Fainberg
OpenStack Identity (keystone) 2013.2 "havana"

Bug Description

At keystone/identity/backends/ldap.py:230 we allow mapping domain_id of a user based on the attribute specified in conf.ldap.user_domain_id_attribute which defaults to 'businessCategory'.

My understanding is that this is no longer required and should no longer be allowed and indeed in practice it completely overrides any domain information that is provided in the authentication body.

Adam Young (ayoung)
Changed in keystone:
assignee: nobody → Adam Young (ayoung)
status: New → Confirmed
Revision history for this message
Jamie Lennox (jamielennox) wrote :

How does this also relate to user_domain_id_attribute and group_domain_id_attribute? These default to businessCategory and i now have a couple of projects set to the wrong domain (i'm still not sure how this was ever set wrong).

These are supposed to be domain scoped but if ldap is limited to the default domain (or one domain) surely these should be ignored and overwritten with the default domain?

Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
milestone: none → havana-3
Revision history for this message
Dolph Mathews (dolph) wrote :

This looks like it should be a havana release blocker

Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-3 → havana-rc1
Revision history for this message
David Stanek (dstanek) wrote :

I can't find anything that uses user_domain_id_attribute in master. Is this still a problem?

Revision history for this message
Dolph Mathews (dolph) wrote :

Adam/Jamie- please correct me if I'm wrong, but my understanding is that any '*domain_id*' LDAP configuration should be unused at this point, as the LDAP driver now only supports a single domain (as we move towards https://blueprints.launchpad.net/keystone/+spec/multiple-ldap-servers ). Is that true?

Maybe the only work to do here is to un-document old configuration options such as keystone.conf [ldap] user_domain_id_attribute, and any similar domain_id attributes?

Dolph Mathews (dolph)
Changed in keystone:
status: Confirmed → Incomplete
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/46207

Changed in keystone:
assignee: Adam Young (ayoung) → Morgan Fainberg (mdrnstm)
status: Incomplete → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/47514

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/47514
Committed: http://github.com/openstack/keystone/commit/668ee718127a9983d4838b868efd44ddf661b533
Submitter: Jenkins
Branch: master

commit 668ee718127a9983d4838b868efd44ddf661b533
Author: Morgan Fainberg <email address hidden>
Date: Thu Sep 19 19:53:02 2013 -0700

    Remove ldap identity domain attribute options

    LDAP Identity backend is not domain aware, and therefore does not
    need mappings for the domain attributes for user and group.

    closes-bug: 1209440
    Change-Id: Ib7b77b90134322d04b5826b151d05535b9b8b7c7

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-rc1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.