Nova's LDAP schema has an unneeded requirement on the nis or bis schema
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Ryan Lane |
Bug Description
Though requiring the nis or bis schema doesn't necessarily exclude Active Directory, it adds an unneeded and bothersome requirement to include the nis schema, and forces the use of the uid attribute.
It would be better if the schema defined novaUser as follows:
objectClass (
novaOCs:1
NAME 'novaUser'
DESC 'access and secret keys'
AUXILIARY
MUST ( cn )
MAY ( accessKey $ secretKey $ isAdmin )
)
This puts the requirement on person or inetorgperson instead, which is mostly universally used for user entries.
The code should default to using cn, but the configuration should default to using uid. Allowing this to be a configurable option allows users to define which attribute their directory server should be using, such as sAMAccountName in AD.
Related branches
- Devin Carlen (community): Approve
- Vish Ishaya (community): Approve
-
Diff: 576 lines (+107/-153)8 files modifiednova/auth/fakeldap.py (+3/-0)
nova/auth/ldapdriver.py (+92/-73)
nova/auth/nova_openldap.schema (+6/-40)
nova/auth/nova_sun.schema (+5/-8)
nova/auth/opendj.sh (+0/-1)
nova/auth/openssh-lpk_openldap.schema (+0/-19)
nova/auth/openssh-lpk_sun.schema (+0/-10)
nova/auth/slap.sh (+1/-2)
Changed in nova: | |
assignee: | nobody → Ryan Lane (rlane) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in nova: | |
milestone: | none → 2011.1 |
status: | Fix Committed → Fix Released |
Looking at the inetorgperson schema, it looks like uid is defined as a 'may' attribute. So there isn't a requirement on nis or bis, but this still complicates configuration for AD users, or users who use something other than uid as their username attribute, so the above schema change would still be necessary for proper interoperability.