Wrong LDAP attribute used in user response bodies
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
In Progress
|
Medium
|
Craig Jellick |
Bug Description
This bug applies to the LDAP identity backend.
If you configure keystone to use a different LDAP attribute for the user_id_attribute config property, the configured attribute will not be used to construct the User model object that is returned by GET requests to /users and /users/<user id>
To explain further, this bug particularly impacts Active Directory integrations. With AD, user objects typically look like this:
{
cn (commonName) : "John Doe",
sAMAccountName: "jdoe"
...
}
So, with AD, you want to user sAMAccountName for both the user_name_attribute and user_id_attribute config properties.
When you configure Keystone to use sAMAccountName for both of those properites, it works for the most part, but when the LDAP response is translated to a keystone user object, sAMAccountName is NOT used as the id attribute. Instead, the id is always extracted from the DN, meaning it is always the common name, regardless of how you have it configured.
This results in a request and response that looks something like this:
GET /v2.0/users/jdoe
Response:
{
"id" : "John Doe"
"links" : {
"self" : "https:/
}
...
}
The bug is specifically here:
https:/
That method doesn't take into account what the configure user_id_attribute is.
This bug is somewhat related to https:/
Changed in keystone: | |
assignee: | nobody → Craig Jellick (craig-jellick) |
tags: | added: ldap |
Changed in keystone: | |
milestone: | none → juno-rc1 |
Fix proposed to branch: master /review. openstack. org/58372
Review: https:/