OpenStack Identity (keystone)

Wrong LDAP attribute used in user response bodies

Bug #1254849 reported by Craig Jellick
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
In Progress
Medium
Craig Jellick
OpenStack Identity (keystone) juno-rc1 "RC1"

Bug Description

This bug applies to the LDAP identity backend.

If you configure keystone to use a different LDAP attribute for the user_id_attribute config property, the configured attribute will not be used to construct the User model object that is returned by GET requests to /users and /users/<user id>

To explain further, this bug particularly impacts Active Directory integrations. With AD, user objects typically look like this:
{
cn (commonName) : "John Doe",
sAMAccountName: "jdoe"
...
}
So, with AD, you want to user sAMAccountName for both the user_name_attribute and user_id_attribute config properties.

When you configure Keystone to use sAMAccountName for both of those properites, it works for the most part, but when the LDAP response is translated to a keystone user object, sAMAccountName is NOT used as the id attribute. Instead, the id is always extracted from the DN, meaning it is always the common name, regardless of how you have it configured.

This results in a request and response that looks something like this:
GET /v2.0/users/jdoe
Response:
{
"id" : "John Doe"
"links" : {
  "self" : "https://localhost/v2.0/users/John Does"
}
...
}

The bug is specifically here:
https://github.com/openstack/keystone/blob/stable/havana/keystone/common/ldap/core.py#L266
That method doesn't take into account what the configure user_id_attribute is.

This bug is somewhat related to https://bugs.launchpad.net/keystone/+bug/1210141, but that scope of that bug is just to change the documentation.

Tags: ldap
Craig Jellick (craig-jellick)
Changed in keystone:
assignee: nobody → Craig Jellick (craig-jellick)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/58372

Changed in keystone:
status: New → In Progress
Lance Bragstad (lbragstad)
tags: added: ldap
Revision history for this message
Craig Jellick (craig-jellick) wrote :

recheck bug 1217734

Revision history for this message
Dolph Mathews (dolph) wrote :

Craig, "rechecks" go in gerrit as a "Review"

Changed in keystone:
importance: Undecided → Medium
Revision history for this message
Craig Jellick (craig-jellick) wrote :

ah. ok. sorry

Revision history for this message
Craig Jellick (craig-jellick) wrote :

I revived this bug fix. ls there anything I need to do to get it back into the reviewers' queue?

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Hi Craig,

I would probably start by restoring the change and addressing the reviewers comments in your review: https://review.openstack.org/#/c/58372/

If the fix up for review is no longer the approach we want to take, then we should leave it as 'Abandoned' and move this bug out of 'In Progress'. If you have any other questions, you can find us in #openstack-keystone on freenode. Thanks!

Dolph Mathews (dolph)
Changed in keystone:
milestone: none → juno-rc1
Revision history for this message
Guang Yee (guang-yee) wrote :

This is a duplicate of https://bugs.launchpad.net/keystone/+bug/1361306. We need to fix this problem in a generic way.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/58372
Reason: https://bugs.launchpad.net/keystone/+bug/1254849/comments/7

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.