LDAP: group_members_are_ids ignored for user_enabled_emulation_use_group_config

Bug #1839133 reported by Radosław Piliszek on 2019-08-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
Radosław Piliszek

Bug Description

This is re: http://lists.openstack.org/pipermail/openstack-discuss/2019-August/008210.html
"[keystone] [stein] user_enabled_emulation config problem"

I set:
user_tree_dn = ou=Users,o=UCO
user_objectclass = inetOrgPerson
user_id_attribute = uid
user_name_attribute = uid
user_enabled_emulation = true
user_enabled_emulation_dn = cn=Users,ou=Groups,o=UCO
user_enabled_emulation_use_group_config = true
group_tree_dn = ou=Groups,o=UCO
group_objectclass = posixGroup
group_id_attribute = cn
group_name_attribute = cn
group_member_attribute = memberUid
group_members_are_ids = true

Keystone properly lists members of the Users group but they all remain
disabled.

I ran keystone with debug and discovered that it looks for memberUid=<DN> instead of memberUid=<ID>, e.g. memberUid=uid=r.piliszek,ou=Users,o=UCO instead of memberUid=r.piliszek

I will submit a proposal with my patch to gerrit but will require some assistance with creating a unit test that fails without patch and works with it.

Fix proposed to branch: master
Review: https://review.opendev.org/674782

Changed in keystone:
assignee: nobody → Radosław Piliszek (yoctozepto)
status: New → In Progress

Reviewed: https://review.opendev.org/674782
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c7fae97d873f72068ca65538ec5b5919c0ac7d5a
Submitter: Zuul
Branch: master

commit c7fae97d873f72068ca65538ec5b5919c0ac7d5a
Author: Radosław Piliszek <email address hidden>
Date: Tue Aug 6 13:25:17 2019 +0200

    Honor group_members_are_ids for user_enabled_emulation

    Applied when group config is to be honored
    (i.e. set user_enabled_emulation_use_group_config).
    Conditionals follow usage of group_members_are_ids.

    Added new test for the case with ids.
    It fails without fix.
    The original test expanded to ensure the change did not
    break its internals either.
    It passes without fix as well.

    Additionally some TODOs are added for observed potential issues.

    Change-Id: I7874a70e6109219baee80309c3a27f8af9905a6d
    Closes-Bug: #1839133
    Signed-off-by: Radosław Piliszek <email address hidden>

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Change abandoned by Radosław Piliszek (<email address hidden>) on branch: stable/ocata
Review: https://review.opendev.org/711752
Reason: leaving only for reference, not straining core team

Change abandoned by Radosław Piliszek (<email address hidden>) on branch: stable/pike
Review: https://review.opendev.org/711751
Reason: leaving only for reference, not straining core team

Change abandoned by Radosław Piliszek (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/683304
Reason: leaving only for reference, not straining core team

Change abandoned by Radosław Piliszek (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/683305
Reason: leaving only for reference, not straining core team

Reviewed: https://review.opendev.org/683303
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e3aae94d5a441a55bd98c40cbbdd17fd685b8e13
Submitter: Zuul
Branch: stable/stein

commit e3aae94d5a441a55bd98c40cbbdd17fd685b8e13
Author: Radosław Piliszek <email address hidden>
Date: Tue Aug 6 13:25:17 2019 +0200

    Honor group_members_are_ids for user_enabled_emulation

    Applied when group config is to be honored
    (i.e. set user_enabled_emulation_use_group_config).
    Conditionals follow usage of group_members_are_ids.

    Added new test for the case with ids.
    It fails without fix.
    The original test expanded to ensure the change did not
    break its internals either.
    It passes without fix as well.

    Additionally some TODOs are added for observed potential issues.

    Backport amended with [1] to pass CI.

    [1] 19d4831daa3991bed48fb364fa05927740c96445 (pep8)

    Change-Id: I7874a70e6109219baee80309c3a27f8af9905a6d
    Closes-Bug: #1839133
    Signed-off-by: Radosław Piliszek <email address hidden>
    (cherry picked from commit c7fae97d873f72068ca65538ec5b5919c0ac7d5a)

tags: added: in-stable-stein
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers