ldap _get_enabled is returning entire groupOfNames object for enabled_users and enabled_tenants

Bug #1217447 reported by Justin Shepherd on 2013-08-27
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Justin Shepherd

Bug Description

If you have 500 users in a tenant, the enabled_users check will return a groupOfNames object with 500 user CNs in it.

example ldapsearch: ldapsearch -x -D "cn=admin,dc=example,dc=com" -wpassword -b "cn=enabled_users,ou=Users,dc=example,dc=com" "member=cn=6ac4f3701ba144888669b7f9026eb456,ou=Users,dc=example,dc=com" -s base

***** OUTPUT *****
# extended LDIF
#
# LDAPv3
# base <cn=enabled_users,ou=Users,dc=rcb,dc=me> with scope baseObject
# filter: member=cn=6ac4f3701ba144888669b7f9026eb456,ou=Users,dc=rcb,dc=me
# requesting: ALL
#

# enabled_users, Users, example.com
dn: cn=enabled_users,ou=Users,dc=example,dc=com
objectClass: groupOfNames
member: cn=dumb,dc=nonexistent
member: cn=2c0c7a0ad381465e87faea4209780b93,ou=Users,dc=example,dc=com
member: cn=6ac4f3701ba144888669b7f9026eb456,ou=Users,dc=example,dc=com
member: cn=297b9d63b5fa4dcea1f33a21d732d357,ou=Users,dc=example,dc=com
member: cn=fbe7ecef7bf64631943aed243c8a8740,ou=Users,dc=example,dc=com
member: cn=2fa87b703eba4d118e8cecd7a9398a59,ou=Users,dc=example,dc=com
member: cn=079b66e2f49449279e62057f94d0f370,ou=Users,dc=example,dc=com
member: cn=e0c53180c6c344bc806ba558009258cf,ou=Users,dc=example,dc=com
member: cn=a7e152918f8c42d18023abb147b129a6,ou=Users,dc=example,dc=com
member: cn=3278c2b961a547edb7496f023f73eee5,ou=Users,dc=example,dc=com
member: cn=ea70ba972c334fe39210a35ede37a1ab,ou=Users,dc=example,dc=com
member: cn=f18cb5cbb6204f44853348abeef8dd9d,ou=Users,dc=example,dc=com
member: cn=229366aa6ba3444f9bd8392342be81ab,ou=Users,dc=example,dc=com
member: cn=efe4b41cac284a99a0cf4e0164e29ded,ou=Users,dc=example,dc=com
member: cn=1f023c493f1241bb9fe02181f134fe13,ou=Users,dc=example,dc=com
member: cn=a51ce49edc124096ba6dcb88b8ae518d,ou=Users,dc=example,dc=com
member: cn=07d324f7b86d4fc39572a574953bc4a3,ou=Users,dc=example,dc=com
***** SNIP *****
member: cn=07d6df2e33bf4dafa93ef30a3b77d97f,ou=Users,dc=example,dc=com
member: cn=c238bf336bc6466db5e92bb9ae68dcde,ou=Users,dc=example,dc=com
member: cn=12c01d4381e74721b1c46a84b3e56b5a,ou=Users,dc=example,dc=com
cn: enabled_users

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

The return size increases with the number of users in the tenant (e.g. 1000 users will return 1000+ rows)

The ldap query should supply an Attribute List of CN instead of returning the entire list.

Dolph Mathews (dolph) on 2013-08-28
Changed in keystone:
status: New → Confirmed
importance: Undecided → High
milestone: none → havana-rc1

Fix proposed to branch: master
Review: https://review.openstack.org/44117

Changed in keystone:
assignee: nobody → Justin Shepherd (jshepher)
status: Confirmed → In Progress
Dolph Mathews (dolph) on 2013-08-28
Changed in keystone:
milestone: havana-rc1 → havana-3

Reviewed: https://review.openstack.org/44117
Committed: http://github.com/openstack/keystone/commit/4a7199b4a6dcf7c6b5c38c43d2bbff1533b6df28
Submitter: Jenkins
Branch: master

commit 4a7199b4a6dcf7c6b5c38c43d2bbff1533b6df28
Author: galstrom21 <email address hidden>
Date: Wed Aug 28 13:12:34 2013 -0500

    Add 'cn' to attribute_list for enabled_users/tenants query

    Fixes Bug: 1217447

    Change-Id: I712b2fccc08d48487515491684ef8e6c9a91ee0a

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-09-05
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-3 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers