OpenStack Identity (keystone)

Group membership attribute is hard-coded when using 'user_enable_emulation'

Bug #1515302 reported by Nathan Kinder on 2015-11-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Nathan Kinder	OpenStack Identity (keystone) mitaka-1 "m1"
	Kilo	Fix Released	Undecided	Unassigned	OpenStack Identity (keystone) 2015.1.3

Bug Description

The 'group_member_attribute' is used in Keystone when looking for groups in LDAP to find membership. But, when using 'user_enable_emulation', the following code in keystone/common/ldap/core.py instead references a hard coded 'member' entry instead of 'group_member_attribute'.

---
def _get_enabled(self, object_id):
  dn = self._id_to_dn(object_id)
  query = '(member=%s)' % dn <---- Here
  with self.get_connection() as conn:
   try:
    enabled_value = conn.search_s(self.enabled_emulation_dn,
             ldap.SCOPE_BASE,
             query, ['cn'])
   except ldap.NO_SUCH_OBJECT:
    return False
   else:
    return bool(enabled_value)
---

As a result, when integrating Keystone with an LDAP back-end and using the 'enabled_user_emulation' feature with a group for which the membership attribute is 'uniquemember', users are listed as not enabled.

Tags:

Nathan Kinder (nkinder) on 2015-11-11

Changed in keystone:
assignee:	nobody → Nathan Kinder (nkinder)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-11: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/244173

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-13: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/244173
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e465de5b44ffb1da65eab77ba7c81d1c0ced367f
Submitter: Jenkins
Branch: master

commit e465de5b44ffb1da65eab77ba7c81d1c0ced367f
Author: Nathan Kinder <email address hidden>
Date: Wed Nov 11 07:56:48 2015 -0800

Remove hardcoded LDAP group schema from emulated enabled mix-in

    The emulated enabled mix-in uses hard-coded LDAP schema for the
    group objectclass and membership attributes. This patch makes the
    mix-in optionally use the LDAP group configuration settings.

Change-Id: I5ed9d552ec140f83578398fd29e2130ebf827662
Closes-Bug: #1515302

Changed in keystone:
status:	In Progress → Fix Committed

Nathan Kinder (nkinder) on 2015-11-13

tags:	added: liberty-backport-potential
tags:	added: kilo-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-13: Fix proposed to keystone (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/245258

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-13: Fix proposed to keystone (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/245261

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-23: Fix merged to keystone (stable/liberty)

Reviewed: https://review.openstack.org/245258
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=134b0efcc74bdb640c0eb3fd97d64cdbcb9bb9ea
Submitter: Jenkins
Branch: stable/liberty

commit 134b0efcc74bdb640c0eb3fd97d64cdbcb9bb9ea
Author: Nathan Kinder <email address hidden>
Date: Wed Nov 11 07:56:48 2015 -0800

Remove hardcoded LDAP group schema from emulated enabled mix-in

    The emulated enabled mix-in uses hard-coded LDAP schema for the
    group objectclass and membership attributes. This patch makes the
    mix-in optionally use the LDAP group configuration settings.

    Change-Id: I5ed9d552ec140f83578398fd29e2130ebf827662
    Closes-Bug: #1515302
    (cherry picked from commit e465de5b44ffb1da65eab77ba7c81d1c0ced367f)

tags:

added: in-stable-liberty

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-26: Fix merged to keystone (stable/kilo)

Reviewed: https://review.openstack.org/245261
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0bce43a466aa3ee89c6c956fede2292e457146d7
Submitter: Jenkins
Branch: stable/kilo

commit 0bce43a466aa3ee89c6c956fede2292e457146d7
Author: Nathan Kinder <email address hidden>
Date: Wed Nov 11 07:56:48 2015 -0800

Remove hardcoded LDAP group schema from emulated enabled mix-in

    The emulated enabled mix-in uses hard-coded LDAP schema for the
    group objectclass and membership attributes. This patch makes the
    mix-in optionally use the LDAP group configuration settings.

    Conflicts:
            keystone/common/ldap/core.py
            keystone/tests/unit/test_backend_ldap.py

    Change-Id: I5ed9d552ec140f83578398fd29e2130ebf827662
    Closes-Bug: #1515302
    (cherry picked from commit e465de5b44ffb1da65eab77ba7c81d1c0ced367f)

tags:

added: in-stable-kilo

Steve Martinelli (stevemar) on 2015-11-30

Changed in keystone:
importance:	Undecided → High

Steve Martinelli (stevemar) on 2015-12-01

Changed in keystone:
milestone:	none → mitaka-1

Revision history for this message

Thierry Carrez (ttx) wrote on 2015-12-03: Fix included in openstack/keystone 9.0.0.0b1

This issue was fixed in the openstack/keystone 9.0.0.0b1 development milestone.

Doug Hellmann (doug-hellmann) on 2015-12-03

Changed in keystone:
status:	Fix Committed → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2015-12-10: Fix included in openstack/keystone 8.0.1

This issue was fixed in the openstack/keystone 8.0.1 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.