OpenStack Identity (keystone)

  1. Bug #997700
  2. Comment #6

Comment 6 for bug 997700

Revision history for this message
Tim Spriggs (tims-t) wrote :

I looked a little more carefully at the code [1] and also noticed that you have a query where you then return the first result:

    return users[0]

    I am still not fully aware of the rest of the code but this breaks when a non-unique field is chosen (such as sn.) Also, watching the queries on the backend LDAP server [2] I notice that you run 3 queries in order to authenticate a user:

    1. search for user
    2. get user entry
    3. bind as user

    Also, each query is done through a separate (and authenticated) connection to the ldap server.

    Why not just bind if you have a base dn already? In the case below it would end up looking like:

    BIND REQ conn=3098764 op=0 msgID=1 type=SIMPLE dn="sn=Spriggs,ou=People,dc=base_dn"

    From there you can immediately run (on the now authenticated connection) a query for the user object that you know exists since you just bound to it correctly. This is where specifying uid instead of sn in the config helps other sites too.

    Finally, in the quest to find groups [3] it looks like there is a bug when none are found, thus the search for "cn=None,ou=Groups,...". I'd like to also suggest changing the filter to eventually fill out as:

(|
  (&(memberUid=tims)(objectClass=posixGroup))
  (&(uniqueMember=uid=tims,ou=People,dc=base_dn)(objectClass=groupOfUniqueNames))
)

Feel free to contact me offlist if you have questions. I'd be happy to jump in and test with you in the next two weeks.

Cheers,
-Tim

--

    [1] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L272

    [2] Find/auth user
    SEARCH REQ conn=3098762 op=1 msgID=2 base="ou=People,dc=base_dn" scope=singleLevel filter="(&(sn=Spriggs)(objectClass=inetOrgPerson))" attrs="ALL"
    SEARCH REQ conn=3098763 op=1 msgID=2 base="uid=tims,ou=People,dc=base_dn" scope=baseObject filter="(objectClass=inetOrgPerson)" attrs="ALL"
    BIND REQ conn=3098764 op=0 msgID=1 type=SIMPLE dn="uid=tims,ou=People,dc=base_dn"

    [3] Find groups
    SEARCH REQ conn=3098765 op=1 msgID=2 base="ou=Groups,dc=base_dn" scope=singleLevel filter="(&(memberUid=uid=tims,ou=People,dc=base_dn)(objectClass=posixGroup))" attrs="ALL"
    SEARCH REQ conn=3098766 op=1 msgID=2 base="cn=None,ou=Groups,dc=base_dn" scope=baseObject filter="(objectClass=posixGroup)" attrs="ALL"