LDAP: group_members_are_ids ignored for user_enabled_emulation_use_group_config

Bug #1839133 reported by Radosław Piliszek on 2019-08-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
Radosław Piliszek

Bug Description

This is re: http://lists.openstack.org/pipermail/openstack-discuss/2019-August/008210.html
"[keystone] [stein] user_enabled_emulation config problem"

I set:
user_tree_dn = ou=Users,o=UCO
user_objectclass = inetOrgPerson
user_id_attribute = uid
user_name_attribute = uid
user_enabled_emulation = true
user_enabled_emulation_dn = cn=Users,ou=Groups,o=UCO
user_enabled_emulation_use_group_config = true
group_tree_dn = ou=Groups,o=UCO
group_objectclass = posixGroup
group_id_attribute = cn
group_name_attribute = cn
group_member_attribute = memberUid
group_members_are_ids = true

Keystone properly lists members of the Users group but they all remain
disabled.

I ran keystone with debug and discovered that it looks for memberUid=<DN> instead of memberUid=<ID>, e.g. memberUid=uid=r.piliszek,ou=Users,o=UCO instead of memberUid=r.piliszek

I will submit a proposal with my patch to gerrit but will require some assistance with creating a unit test that fails without patch and works with it.

Fix proposed to branch: master
Review: https://review.opendev.org/674782

Changed in keystone:
assignee: nobody → Radosław Piliszek (yoctozepto)
status: New → In Progress
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers