String length exceeded local_id mapping to LDAP
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
LDAP Group ID may exceed the current table limit:
String length exceeded. The length of string '***' exceeds the limit of column local_id(CHAR(64)). (HTTP 400) (Request-ID: req-bf68d05f-
From an upstream bug[1] we had the following solution:
The workaround for this issue is to not use objectGUID as the user or group ID. However, that workaround might not be applicable in all situations. For example, the default value for user_id_attribute is 'cn', but if that value spans more than 64 characters, keystone can't work with it.
But for security reasons, customer can't change the field mapped.
I believe the limit can be safely changed to 255 without impacting other openstack projects, keystone backends or subsystems.
[1] https:/
tags: | added: ldap |
Changed in keystone: | |
importance: | Undecided → Medium |
Fix proposed to branch: master /review. opendev. org/c/openstack /keystone/ +/792587
Review: https:/