LDAP user name attribute is case sensitive

Bug #1753585 reported by Matthew Edmonds on 2018-03-05
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
Vishakha Agarwal

Bug Description

keystone was not able to find any users while the LDAP user name attribute was configured to "samaccountname", but could find users when reconfigured to use "sAMAccountName". LDAP is not supposed to be case-sensitive, so either should work.

This appears to be a result of https://github.com/openstack/keystone/blob/12.0.0.0rc2/keystone/identity/backends/ldap/common.py#L1403 looking for that attribute in a case-sensitive manner, though there may be other places as well.

found in: Pike

Lance Bragstad (lbragstad) wrote :

The workaround here is to reconfigure the username attribute configuration option in keystone to be an exact match of what is in LDAP, correct?

Changed in keystone:
status: New → Confirmed
importance: Undecided → Low
tags: added: ldap
Matthew Edmonds (edmondsw) wrote :

correct

Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)

Fix proposed to branch: master
Review: https://review.openstack.org/603345

Changed in keystone:
status: Confirmed → In Progress
Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Adam Young (ayoung)
Changed in keystone:
assignee: Adam Young (ayoung) → Colleen Murphy (krinkle)

Reviewed: https://review.openstack.org/603345
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=816b472a9d20e4e7cfe33f2f40ef5daae590795e
Submitter: Zuul
Branch: master

commit 816b472a9d20e4e7cfe33f2f40ef5daae590795e
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 18 15:17:07 2018 +0530

    LDAP attribute names non-case-sensitive

    keystone was not able to find any users while
    the LDAP user name attribute was configured to
    "samaccountname", but could find users when
    reconfigured to use "sAMAccountName". LDAP is
    not supposed to be case-sensitive, so either
    should work.

    This patch addresses the above problem by making
    both the attributes into lower case. Also updated
    the ldap_result example supporting python3.

    Change-Id: I51813ac41489baed04f3cadbccd748e03025313e
    Closes-Bug: #1753585

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/607197
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c1e96d42d3446614c2475b5716a075eac67ea73f
Submitter: Zuul
Branch: stable/queens

commit c1e96d42d3446614c2475b5716a075eac67ea73f
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 18 15:17:07 2018 +0530

    LDAP attribute names non-case-sensitive

    keystone was not able to find any users while
    the LDAP user name attribute was configured to
    "samaccountname", but could find users when
    reconfigured to use "sAMAccountName". LDAP is
    not supposed to be case-sensitive, so either
    should work.

    This patch addresses the above problem by making
    both the attributes into lower case. Also updated
    the ldap_result example supporting python3.

    Change-Id: I51813ac41489baed04f3cadbccd748e03025313e
    Closes-Bug: #1753585
    (cherry picked from commit 816b472a9d20e4e7cfe33f2f40ef5daae590795e)

tags: added: in-stable-queens

Reviewed: https://review.openstack.org/607198
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=55fda22d5b9f6c99ce093aefe13b3cb728e47748
Submitter: Zuul
Branch: stable/pike

commit 55fda22d5b9f6c99ce093aefe13b3cb728e47748
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 18 15:17:07 2018 +0530

    LDAP attribute names non-case-sensitive

    keystone was not able to find any users while
    the LDAP user name attribute was configured to
    "samaccountname", but could find users when
    reconfigured to use "sAMAccountName". LDAP is
    not supposed to be case-sensitive, so either
    should work.

    This patch addresses the above problem by making
    both the attributes into lower case. Also updated
    the ldap_result example supporting python3.

    Change-Id: I51813ac41489baed04f3cadbccd748e03025313e
    Closes-Bug: #1753585
    (cherry picked from commit 816b472a9d20e4e7cfe33f2f40ef5daae590795e)

tags: added: in-stable-pike
tags: added: in-stable-rocky

Reviewed: https://review.openstack.org/607056
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=15a8ae937d1aa2a288770e06c99c36ba28dae481
Submitter: Zuul
Branch: stable/rocky

commit 15a8ae937d1aa2a288770e06c99c36ba28dae481
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 18 15:17:07 2018 +0530

    LDAP attribute names non-case-sensitive

    keystone was not able to find any users while
    the LDAP user name attribute was configured to
    "samaccountname", but could find users when
    reconfigured to use "sAMAccountName". LDAP is
    not supposed to be case-sensitive, so either
    should work.

    This patch addresses the above problem by making
    both the attributes into lower case. Also updated
    the ldap_result example supporting python3.

    Change-Id: I51813ac41489baed04f3cadbccd748e03025313e
    Closes-Bug: #1753585
    (cherry picked from commit 816b472a9d20e4e7cfe33f2f40ef5daae590795e)

Colleen Murphy (krinkle) on 2018-10-05
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal)

This issue was fixed in the openstack/keystone 13.0.2 release.

This issue was fixed in the openstack/keystone 12.0.2 release.

This issue was fixed in the openstack/keystone 14.0.1 release.

Changed in keystone:
milestone: none → stein-1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers