Keystone not removing mapping between deleted LDAP user and Openstack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Keystone LDAP integration |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Keystone not removing mapping between deleted LDAP user and Openstack
The client is using LDAP for authentication and has used uid as a key for user_id_attribute. The client created a LDAP user say ABC with UID=100, this user is associated with an OpenStack user ABC. The relationship is recorded in id_mapping table within keystone database.
Now when the client delete the ldap user ABC, the entry is not deleted from the id_mapping table. Thus when the client create a new ldap user XYZ which get the same UID=100, the incorrect record in id_mapping restrict the new user XYZ from authenticating and successfully log on to OpenStack.
Note: there is not record for XYZ within the id_mapping table.
Details of domain config:
# User supplied configuration flags
user_filter = (memberof=
user_id_attribute = uidNumber
user_name_attribute = uid
user_objectclass = posixAccount
user_tree_dn = ou=xxxxx,
[identity]
driver = ldap
Table Description
mysql> desc id_mapping;
+------
| Field | Type | Null | Key | Default | Extra |
+------
| public_id | varchar(64) | NO | PRI | NULL | |
| domain_id | varchar(64) | NO | MUL | NULL | |
| local_id | varchar(64) | NO | | NULL | |
| entity_type | enum('user'
+------
Adding the charm because maybe there's a more unique field we can use than uid, given this behaviour with re-use of uid's