OpenStack Identity (keystone)

Can't use objectGUID as user_id_attribute in Keystone/LDAP integration

Bug #1895903 reported by Nikolay Vinogradov on 2020-09-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	New	Undecided	Unassigned

Bug Description

In order to configure Keystone LDAP integration the upstream docs suggests using cn for user_id_attribute [1]. A more stable alternative attribute to cn as a user ID could be objectGUID, but it doesn't work in keystone:

$ openstack user list --domain fd8fbe474db94bb6bd8fa2c29da508c9
ID attribute objectGUID not found in LDAP object CN=..... (HTTP 404) (Request-ID: req-d4564a60-2359-44b4-8b44-76f4345c9df9)

ldapsearch returns the attribute correctly using the same query as the one failing in keystone.

[1] https://docs.openstack.org/keystone/pike/admin/identity-integrate-with-ldap.html

Revision history for this message

Billy Olsen (billy-olsen) wrote on 2020-09-17:

This looks to be a duplicate of https://bugs.launchpad.net/keystone/+bug/1889936

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.