When user in AD doesn't have ID field all user handlers error out
Bug #1478579 reported by
Victor Denisov
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Boris Bobrov |
Bug Description
We have keystone integrated with AD.
'user_id_attribute' is set to 'info'. So, when our users first get created in AD, they don't always have this field populated. When a user does not have a populated 'info' attribute, all keystone queries fail, not just queries or rows containing that user.
Jul 7 14:02:12 node-38 keystone-all ID attribute info not found in LDAP object <AD CN Object here>
Some examples of how I see keystone should be have in this situation:
List all users - list only correct users and ignore invalid.
Authenticate invalid user - this request should not be authenticated.
tags: | added: ldap |
Changed in keystone: | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in keystone: | |
assignee: | nobody → Boris Bobrov (bbobrov) |
Changed in keystone: | |
milestone: | none → liberty-3 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | liberty-3 → 8.0.0 |
To post a comment you must log in.
It looks like BaseLdap.get_all method in keystone. common. ldap.core should be fixed. If _ldap_res_to_model fails we shouldn't pass exception through but just skip failing item and move on.