LDAP group_members_are_ids = false fails in Rocky/Stein
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned | ||
keystone (Ubuntu) |
New
|
Undecided
|
Pen Gale |
Bug Description
I'm running into an interesting issue with the group_members_
Per the documentation, this means that the group's group_member_
Unfortunately, the call to self._transform
This code is here:
https:/
This calls out to:
return ldap.dn.
from: https:/
>>> ldap.dn.
[[('cn', 'Michael Str\xc3\xb6der', 4)], [('dc', 'example', 1)], [('dc', 'com', 1)]]
Which would then mean the return from _dn_to_id(user_key) would be "Michael Str\xc3\xb6der" or "dfreiberger" in my example user_key above.
Ultimately, this means that either group_members_
- The problem is that the _transform_
returning a user ID such as the typical hex ID of a user in the
keystone database, not the username of the user.
- With group_members_
but with group_members_
function.
- Also, the _dn_to_id(user_key) from the group only returns the first entry in the DN, not the actual user_id_attribute or user_name_attribute field of the object. This requires a broken assumption that the user_id_attribute field called out in the ldap client config is also the first field of the distinguished name.
- This would bug out if, say, your group had a member attribute/value pair of:
member="cn=Drew Freiberger,
Changed in keystone (Ubuntu): | |
assignee: | nobody → James Page (james-page) |
Reading through the code, and testing a few hacks on _dn_to_id, I can confirm that the method naively finds the value of the first element of the user key, without trying to figure out whether it's a uid or not.
@afreiberger one thing I'm not clear on -- in your case, is there a "uid" field in the key that you're passing in. Is it just a matter of finding and returning that uid? Or do you want to actually do a lookup for "Name.domain.tld" in a database, and return the uid of that entry?