LDAP Identity does not convert ID to DN for lookup
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Expired
|
Undecided
|
Unassigned |
Bug Description
there is a disconnect between how Identity gets users for Authentication and how it creates users.
When creating a user, deleting a user, etc, the identity code calls:
Which attempts to convert an id to a dn two different ways. One is by composing the DN:
def _id_to_
return u'%s=%s,%s' % (self.id_attr,
The other is by searching for a record of that objectclass
The difference is whether subtree searches are enabled.
The authenticate code path is different:
def authenticate(self, user_id, password):
try:
...
def _get_user(self, user_id):
return self.user.
def get(self, object_id, ldap_filter=None):
res = self._ldap_
def _ldap_get(self, object_id, ldap_filter=None):
conn = self.get_
query = (u'(&(%
Note that this second way of finding the object matches the subtree search method.
I think this has worked thus far mostly due to convention: If a DN is of the form:
uid=ayoung,cn....
and the object has the attribute
uid=ayoung
Both searches will match the object. However, if the DN is like this:
CN=ayoung,CN=...
but the user has
CN=Adam
The second will not match.
tags: | added: ldap |
Can you explain the actual impact on end users? How do you reproduce a misbehavior?