Document howto config LDAP identity with non-DN based ids.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Medium
|
Marek Denis |
Bug Description
I can successfully configure keystone LDAP settings to authenticate against Active Directory using the cn attribute of the user account as the user_id_attribute (i.e. user_id_attribute = cn in keystone.conf). However, in my (and most) Active Directory deployments, the cn is not used as the login ID. Instead, other attributes such as samAccountName or userPrincipalName are used for login. In Activev Directory, cn is commonly populated with the user's full name.
When I try to use samAccountName (i.e. user_id_attribute = samAccountName) then authentication fails.
The search bit works fine:
2013-08-08 09:43:23 DEBUG [keystone.
But the subsequent bind fails when the code appears to build an invalid dn and tries to bind with it as shown below:
2013-08-08 09:43:23 DEBUG [keystone.
The dn should start with cn= not samAccountName=. The code should search for a user object by samAccountName and return the correct dn to be used for the bind. Since the dn is invalid, the bind fails and authentication fails.
Invalid user / password (HTTP 401)
I'm not sure if this is all within the keystone ldap provider code or in some dependant LDAP code. Any help would be much appreciated.
tags: |
added: openstack removed: identity |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
milestone: | none → havana-3 |
Changed in keystone: | |
assignee: | nobody → Adam Young (ayoung) |
Changed in keystone: | |
milestone: | havana-3 → havana-rc1 |
summary: |
- LDAP identity provider fails when using samAccountName + Document howto config LDAP identity with non-DN based ids. |
tags: | added: documentation |
tags: | removed: keystone openstack samaccountname |
Changed in keystone: | |
importance: | Low → Medium |
Changed in keystone: | |
assignee: | Eric N. Vander Weele (ericvw) → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Eric N. Vander Weele (ericvw) |
Changed in keystone: | |
assignee: | Eric N. Vander Weele (ericvw) → Marek Denis (marek-denis) |
Changed in keystone: | |
status: | In Progress → Won't Fix |
You can view my configuration at http:// behindtheracks. com/2013/ 08/openstack- active- directory- integration/