Group membership attribute is hard-coded when using 'user_enable_emulation'

Bug #1515302 reported by Nathan Kinder on 2015-11-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Nathan Kinder
Kilo
Undecided
Unassigned

Bug Description

The 'group_member_attribute' is used in Keystone when looking for groups in LDAP to find membership. But, when using 'user_enable_emulation', the following code in keystone/common/ldap/core.py instead references a hard coded 'member' entry instead of 'group_member_attribute'.

---
 def _get_enabled(self, object_id):
  dn = self._id_to_dn(object_id)
  query = '(member=%s)' % dn <---- Here
  with self.get_connection() as conn:
   try:
    enabled_value = conn.search_s(self.enabled_emulation_dn,
             ldap.SCOPE_BASE,
             query, ['cn'])
   except ldap.NO_SUCH_OBJECT:
    return False
   else:
    return bool(enabled_value)
---

As a result, when integrating Keystone with an LDAP back-end and using the 'enabled_user_emulation' feature with a group for which the membership attribute is 'uniquemember', users are listed as not enabled.

Nathan Kinder (nkinder) on 2015-11-11
Changed in keystone:
assignee: nobody → Nathan Kinder (nkinder)

Fix proposed to branch: master
Review: https://review.openstack.org/244173

Changed in keystone:
status: New → In Progress

Reviewed: https://review.openstack.org/244173
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e465de5b44ffb1da65eab77ba7c81d1c0ced367f
Submitter: Jenkins
Branch: master

commit e465de5b44ffb1da65eab77ba7c81d1c0ced367f
Author: Nathan Kinder <email address hidden>
Date: Wed Nov 11 07:56:48 2015 -0800

    Remove hardcoded LDAP group schema from emulated enabled mix-in

    The emulated enabled mix-in uses hard-coded LDAP schema for the
    group objectclass and membership attributes. This patch makes the
    mix-in optionally use the LDAP group configuration settings.

    Change-Id: I5ed9d552ec140f83578398fd29e2130ebf827662
    Closes-Bug: #1515302

Changed in keystone:
status: In Progress → Fix Committed
Nathan Kinder (nkinder) on 2015-11-13
tags: added: liberty-backport-potential
tags: added: kilo-backport-potential

Reviewed: https://review.openstack.org/245258
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=134b0efcc74bdb640c0eb3fd97d64cdbcb9bb9ea
Submitter: Jenkins
Branch: stable/liberty

commit 134b0efcc74bdb640c0eb3fd97d64cdbcb9bb9ea
Author: Nathan Kinder <email address hidden>
Date: Wed Nov 11 07:56:48 2015 -0800

    Remove hardcoded LDAP group schema from emulated enabled mix-in

    The emulated enabled mix-in uses hard-coded LDAP schema for the
    group objectclass and membership attributes. This patch makes the
    mix-in optionally use the LDAP group configuration settings.

    Change-Id: I5ed9d552ec140f83578398fd29e2130ebf827662
    Closes-Bug: #1515302
    (cherry picked from commit e465de5b44ffb1da65eab77ba7c81d1c0ced367f)

tags: added: in-stable-liberty

Reviewed: https://review.openstack.org/245261
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0bce43a466aa3ee89c6c956fede2292e457146d7
Submitter: Jenkins
Branch: stable/kilo

commit 0bce43a466aa3ee89c6c956fede2292e457146d7
Author: Nathan Kinder <email address hidden>
Date: Wed Nov 11 07:56:48 2015 -0800

    Remove hardcoded LDAP group schema from emulated enabled mix-in

    The emulated enabled mix-in uses hard-coded LDAP schema for the
    group objectclass and membership attributes. This patch makes the
    mix-in optionally use the LDAP group configuration settings.

    Conflicts:
            keystone/common/ldap/core.py
            keystone/tests/unit/test_backend_ldap.py

    Change-Id: I5ed9d552ec140f83578398fd29e2130ebf827662
    Closes-Bug: #1515302
    (cherry picked from commit e465de5b44ffb1da65eab77ba7c81d1c0ced367f)

tags: added: in-stable-kilo
Changed in keystone:
importance: Undecided → High
Changed in keystone:
milestone: none → mitaka-1

This issue was fixed in the openstack/keystone 9.0.0.0b1 development milestone.

Changed in keystone:
status: Fix Committed → Fix Released

This issue was fixed in the openstack/keystone 8.0.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers