LDAP: changing user_id_attribute bricks group mapping
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Guang Yee | ||
Ubuntu Cloud Archive |
Fix Released
|
Medium
|
Unassigned | ||
Queens |
Fix Released
|
Medium
|
Unassigned | ||
Rocky |
Fix Released
|
Medium
|
Unassigned | ||
Stein |
Fix Released
|
Medium
|
Unassigned | ||
Train |
Fix Released
|
Medium
|
Unassigned | ||
keystone (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Unassigned | ||
Cosmic |
Won't Fix
|
Medium
|
Unassigned | ||
Disco |
Fix Released
|
Medium
|
Unassigned | ||
Eoan |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
When using the keystone LDAP backend, changing user_id_attribute breaks group mapping. This is because the _dn_to_id() method only calculated the uid to be the first RDN of the DN. _dn_to_id() is updated in the fix to also deal with the case where the uid is set to a different attribute.
[Test Case]
See details in comment #25: https:/
[Regression Potential]
The patch takes a minimal approach to the fix and includes unit tests to help ensure the patched code doesn't regress. The patches have landed in all upstream releases back to stable/queens which helps get even more exposure with upstream reviews, gate testing and real deployments.
[Original Description]
Env Details:
Openstack version: Queens (17.0.5)
OS: CentOS 7.5
LDAP: Active Directory, Windows Server 2012R2
We changed the user_id_attribute to sAMAccountName when configuring keystone. [ user_id_attribute = "sAMAccountName" ; group_members_
The relevant code in keystone:
`list_users_
A fix could be looking up the user by the DN received from the 'member' attribute of a given group and compare the configured 'user_id_attribute' of the received ldap user id and the in keystone stored user id. A quick fix could also be to mention that behavior in the documentation.
/e: related https:/
[1] https:/
[2] https:/
[3] https:/
description: | updated |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: ldap |
Changed in keystone (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in keystone (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in keystone (Ubuntu Cosmic): | |
status: | New → Triaged |
Changed in keystone (Ubuntu Disco): | |
status: | New → Triaged |
Changed in keystone (Ubuntu Cosmic): | |
importance: | Undecided → Medium |
Changed in keystone (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in keystone (Ubuntu Disco): | |
importance: | Undecided → Medium |
Changed in keystone: | |
assignee: | Corey Bryant (corey.bryant) → Guang Yee (guang-yee) |
tags: | added: sts-sru-needed |
Changed in keystone (Ubuntu Eoan): | |
status: | Triaged → Fix Released |
description: | updated |
tags: |
added: verification-done-disco removed: verification-needed-disco |
Changed in cloud-archive: | |
status: | Triaged → Fix Released |
Hi Jakob,
Do you notice a difference in behavior is you perform a ``keystone-manage mapping_purge``? This should clear out the mapping IDs keystone has locally and regenerate them. Does that have any impact on the issue you're seeing?