OpenStack Identity (Keystone)

BaseLDAP builds tree_dn backwards

Reported by Adam Young on 2012-04-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Keystone
Low
Unassigned

Bug Description

If the configuration file specifies only the suffix, the code to build the base DN prepends the suffix instead of appending it, so the DN looks like

cn=example,cn=com,ou=Users

instead of

ou=Users,cn=example,cn=com

Adam Young (ayoung) wrote :

The fix is
[ayoung@ayoung ldap]$ git show
commit f9238e29a3e83989b98dde62597156aafa1e68a0
Author: Adam Young <email address hidden>
Date: Thu Apr 12 15:19:54 2012 -0400

    Correct Tree DN

diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py
index 72647c2..43a33d7 100644
--- a/keystone/common/ldap/core.py
+++ b/keystone/common/ldap/core.py
@@ -83,7 +83,7 @@ class BaseLdap(object):
                 self.suffix = self.DEFAULT_SUFFIX
             dn = '%s_tree_dn' % self.options_name
             self.tree_dn = (getattr(conf.ldap, dn)
- or '%s,%s' % (self.suffix, self.DEFAULT_OU))
+ or '%s,%s' % (self.DEFAULT_OU, self.suffix))

             idatt = '%s_id_attribute' % self.options_name
             self.id_attr = getattr(conf.ldap, idatt) or self.DEFAULT_ID_ATTR

Adam Young (ayoung) wrote :

Until patch is applied, the work-around is to specify

user_tree_dn = ou=Users,cn=example,cn=com
tenant_tree_dn = ou=Tenants,cn=example,cn=com
role_tree_dn = ou=Roles,cn=example,cn=com

in keystone.conf

Fix proposed to branch: master
Review: https://review.openstack.org/6504

Changed in keystone:
status: New → In Progress
Changed in keystone:
status: In Progress → Confirmed
Changed in keystone:
status: Confirmed → In Progress
status: In Progress → Confirmed
Thierry Carrez (ttx) wrote :

Fix should be re-proposed

Joseph Heck (heckj) on 2012-06-07
Changed in keystone:
importance: Undecided → Low
Changed in keystone:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/6504
Committed: http://github.com/openstack/keystone/commit/58105d8f5637109ea1f68c94cf8f120399d54dea
Submitter: Jenkins
Branch: master

commit 58105d8f5637109ea1f68c94cf8f120399d54dea
Author: Adam Young <email address hidden>
Date: Wed Jun 27 18:20:16 2012 -0400

    Correct Tree DN

    instead of
        cn=example,cn=com,ou=Users
    code now generates
        ou=Users,cn=example,cn=com

    Getting stricter in testing and adding some regression testing

    Fixes Bug 980209

    Change-Id: Ib97e6cb00848ea183c7e1f2b2589b25924a08caa

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-07-04
Changed in keystone:
milestone: none → folsom-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-09-27
Changed in keystone:
milestone: folsom-2 → 2012.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers