String length exceeded local_id mapping to LDAP

Bug #1929066 reported by Grzegorz Grasza
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Unassigned

Bug Description

LDAP Group ID may exceed the current table limit:

String length exceeded. The length of string '***' exceeds the limit of column local_id(CHAR(64)). (HTTP 400) (Request-ID: req-bf68d05f-dc7b-4f4b-bbb0-d2a11728de86)

From an upstream bug[1] we had the following solution:

The workaround for this issue is to not use objectGUID as the user or group ID. However, that workaround might not be applicable in all situations. For example, the default value for user_id_attribute is 'cn', but if that value spans more than 64 characters, keystone can't work with it.

But for security reasons, customer can't change the field mapped.

I believe the limit can be safely changed to 255 without impacting other openstack projects, keystone backends or subsystems.

[1] https://bugs.launchpad.net/keystone/+bug/1889936/comments/1

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/792587

Changed in keystone:
status: New → In Progress
Revision history for this message
Gage Hugo (gagehugo) wrote :

Generally the CN has a max limit[0] of 64, which is probably where the keystone CHAR(64) limit was derived from.

[0] https://docs.microsoft.com/en-us/windows/win32/adschema/a-cn?redirectedfrom=MSDN

Revision history for this message
Grzegorz Grasza (xek) wrote :

In this case, the customer is using sAMAccountName as the group_id and user_id attribute

It's described by Microsoft here: https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#samaccountname

tags: added: ldap
Changed in keystone:
importance: Undecided → Medium
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Setting this to medium since it affects users logging in if they are a member of any group with a name over 64 characters.

There is a workaround for users to be removed from that group, but that could be problematic for organization with separate groups managing LDAP, which could very well be the case for large deployments.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/792587
Committed: https://opendev.org/openstack/keystone/commit/ce6031ca12156620cec214a49d162ec7bb30752f
Submitter: "Zuul (22348)"
Branch: master

commit ce6031ca12156620cec214a49d162ec7bb30752f
Author: Grzegorz Grasza <email address hidden>
Date: Thu May 20 21:07:02 2021 +0200

    Update local_id limit to 255 characters

    This avoids the "String length exceeded." error, when using LDAP
    domain specific backend in case the user uses a user id
    attribute, which can exceed the previous constraint of 64 chars.

    Change-Id: I923a2a2a5e79c8f265ff436e96258288dddb867b
    Closes-Bug: #1929066
    Resolves: rhbz#1959345

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/keystone/+/806381

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 20.0.0.0rc1

This issue was fixed in the openstack/keystone 20.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/806381
Committed: https://opendev.org/openstack/keystone/commit/2700adaadcd19baf4ee6edf9b41ff9e6e4009edc
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 2700adaadcd19baf4ee6edf9b41ff9e6e4009edc
Author: Grzegorz Grasza <email address hidden>
Date: Thu May 20 21:07:02 2021 +0200

    Update local_id limit to 255 characters

    This avoids the "String length exceeded." error, when using LDAP
    domain specific backend in case the user uses a user id
    attribute, which can exceed the previous constraint of 64 chars.

    Change-Id: I923a2a2a5e79c8f265ff436e96258288dddb867b
    Closes-Bug: #1929066
    Resolves: rhbz#1959345
    (cherry picked from commit ce6031ca12156620cec214a49d162ec7bb30752f)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/keystone/+/844941

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/844941
Committed: https://opendev.org/openstack/keystone/commit/e8045af63119b201093c424d5f8d029535197c97
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit e8045af63119b201093c424d5f8d029535197c97
Author: Grzegorz Grasza <email address hidden>
Date: Thu May 20 21:07:02 2021 +0200

    Update local_id limit to 255 characters

    This avoids the "String length exceeded." error, when using LDAP
    domain specific backend in case the user uses a user id
    attribute, which can exceed the previous constraint of 64 chars.

    Change-Id: I923a2a2a5e79c8f265ff436e96258288dddb867b
    Closes-Bug: #1929066
    Resolves: rhbz#1959345
    (cherry picked from commit ce6031ca12156620cec214a49d162ec7bb30752f)
    (cherry picked from commit 2700adaadcd19baf4ee6edf9b41ff9e6e4009edc)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/keystone/+/845030

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/845030
Committed: https://opendev.org/openstack/keystone/commit/97a63ca8d548a6b8381280cccf0a80062060bd6a
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 97a63ca8d548a6b8381280cccf0a80062060bd6a
Author: Grzegorz Grasza <email address hidden>
Date: Thu May 20 21:07:02 2021 +0200

    Update local_id limit to 255 characters

    This avoids the "String length exceeded." error, when using LDAP
    domain specific backend in case the user uses a user id
    attribute, which can exceed the previous constraint of 64 chars.

    Change-Id: I923a2a2a5e79c8f265ff436e96258288dddb867b
    Closes-Bug: #1929066
    Resolves: rhbz#1959345
    (cherry picked from commit ce6031ca12156620cec214a49d162ec7bb30752f)
    (cherry picked from commit 2700adaadcd19baf4ee6edf9b41ff9e6e4009edc)
    (cherry picked from commit e8045af63119b201093c424d5f8d029535197c97)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 19.0.1

This issue was fixed in the openstack/keystone 19.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone ussuri-eol

This issue was fixed in the openstack/keystone ussuri-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone victoria-eom

This issue was fixed in the openstack/keystone victoria-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.