Public bug reported: - ubuntu 16.04 - keystone 2:9.2.0-ubuntu1 (mitaka) - python-openstackclient 2.3.0-2 - swift 2.7.0-0ubuntu2 (mitaka)
Hi, I got a Keystone installation with a domain using the LDAP driver to connect to AD (read-only). It's working great, and even though I don't administrate the AD the seperation hasn't been a problem until now. Primary usage is to authenticate users with Swift. Projects and project members are more or less mapped 1:1 to specific AD groups, generated during setup. An ongoing process has been to keep this up to date with new/old employees/groups. The issue arise with the current company policy, where the user accounts of old employees is not disabled, but moved to a seperate OU. For instance: | CN=Doe, John, OU=Users, DC=DOMAIN, DC=COM | CN=Doe, John, OU=Former employees, DC=DOMAIN, DC=COM Whenever this happens it seems to break the role assignment for the user. Commands such as listing users in the user's project, or looking up the user's details yields the error "Could not find resource <id>". Does moving users in AD break the identity mapping, and thus their ID with relations stored in Keystone? Is there any possible configuration that can be done to avoid this? --- keystone.DOMAIN.conf ---- [ldap] url = user = password = suffix = query_scope = sub page_size = 500 user_tree_dn = user_objectclass = person user_id_attribute = sAMAccountName user_name_attribute = sAMAccountName user_mail_attribute = mail user_pass_attribute = user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512 user_attribute_ignore = user_allow_create = false user_allow_update = false user_allow_delete = false [identity] driver = ldap --- openstack_user_list.txt ---- # user's id is listed in response to listing users that belong in a project, # and while keystone is able to find the correct username based on id, it can't find the user itself $ openstack user list --debug --project PROJECT --long ... REQ: curl -g -i -X GET https://domain.com:35357/v3/role_assignments?scope.project.id=<id> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<token>" "GET /v3/role_assignments?scope.project.id=<id> HTTP/1.1" 200 4401 RESP: [200] Content-Length: 4401 Vary: X-Auth-Token Keep-Alive: timeout=5, max=98 Server: Apache/2.4.18 (Ubuntu) Connection: Keep-Alive Date: Fri, 20 Jan 2017 13:54:19 GMT x-openstack-request-id req-<id> Content-Type: application/json X-Distribution: Ubuntu RESP BODY: {"role_assignments": [{"scope": {"project": {"id": "<id>"}}, "role": {"id": "<id>"}, "user": {"id": "<id>"}, "links": {"assignment": "https://domain.com:35357/v3/projects/<id>/users/<id>/roles/<id>"}}, ... ... REQ: curl -g -i -X GET https://domain.com:35357/v3/users/<id> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<token>" "GET /v3/users/<id> HTTP/1.1" 404 89 RESP: [404] Content-Length: 89 Vary: X-Auth-Token Keep-Alive: timeout=5, max=89 Server: Apache/2.4.18 (Ubuntu) Connection: Keep-Alive Date: Fri, 20 Jan 2017 13:54:19 GMT x-openstack-request-id: req-<id> Content-Type: application/json X-Distribution: Ubuntu RESP BODY: {"error": {"message": "Could not find user: <username>", "code": 404, "title": "Not Found"}} ... Could not find resource <id> ** Affects: keystone Importance: Undecided Status: New ** Tags: ldap -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1658641 Title: Moving/disabling LDAP users break Keystone queries depending on role ID Status in OpenStack Identity (keystone): New Bug description: - ubuntu 16.04 - keystone 2:9.2.0-ubuntu1 (mitaka) - python-openstackclient 2.3.0-2 - swift 2.7.0-0ubuntu2 (mitaka) Hi, I got a Keystone installation with a domain using the LDAP driver to connect to AD (read-only). It's working great, and even though I don't administrate the AD the seperation hasn't been a problem until now. Primary usage is to authenticate users with Swift. Projects and project members are more or less mapped 1:1 to specific AD groups, generated during setup. An ongoing process has been to keep this up to date with new/old employees/groups. The issue arise with the current company policy, where the user accounts of old employees is not disabled, but moved to a seperate OU. For instance: | CN=Doe, John, OU=Users, DC=DOMAIN, DC=COM | CN=Doe, John, OU=Former employees, DC=DOMAIN, DC=COM Whenever this happens it seems to break the role assignment for the user. Commands such as listing users in the user's project, or looking up the user's details yields the error "Could not find resource <id>". Does moving users in AD break the identity mapping, and thus their ID with relations stored in Keystone? Is there any possible configuration that can be done to avoid this? --- keystone.DOMAIN.conf ---- [ldap] url = user = password = suffix = query_scope = sub page_size = 500 user_tree_dn = user_objectclass = person user_id_attribute = sAMAccountName user_name_attribute = sAMAccountName user_mail_attribute = mail user_pass_attribute = user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512 user_attribute_ignore = user_allow_create = false user_allow_update = false user_allow_delete = false [identity] driver = ldap --- openstack_user_list.txt ---- # user's id is listed in response to listing users that belong in a project, # and while keystone is able to find the correct username based on id, it can't find the user itself $ openstack user list --debug --project PROJECT --long ... REQ: curl -g -i -X GET https://domain.com:35357/v3/role_assignments?scope.project.id=<id> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<token>" "GET /v3/role_assignments?scope.project.id=<id> HTTP/1.1" 200 4401 RESP: [200] Content-Length: 4401 Vary: X-Auth-Token Keep-Alive: timeout=5, max=98 Server: Apache/2.4.18 (Ubuntu) Connection: Keep-Alive Date: Fri, 20 Jan 2017 13:54:19 GMT x-openstack-request-id req-<id> Content-Type: application/json X-Distribution: Ubuntu RESP BODY: {"role_assignments": [{"scope": {"project": {"id": "<id>"}}, "role": {"id": "<id>"}, "user": {"id": "<id>"}, "links": {"assignment": "https://domain.com:35357/v3/projects/<id>/users/<id>/roles/<id>"}}, ... ... REQ: curl -g -i -X GET https://domain.com:35357/v3/users/<id> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<token>" "GET /v3/users/<id> HTTP/1.1" 404 89 RESP: [404] Content-Length: 89 Vary: X-Auth-Token Keep-Alive: timeout=5, max=89 Server: Apache/2.4.18 (Ubuntu) Connection: Keep-Alive Date: Fri, 20 Jan 2017 13:54:19 GMT x-openstack-request-id: req-<id> Content-Type: application/json X-Distribution: Ubuntu RESP BODY: {"error": {"message": "Could not find user: <username>", "code": 404, "title": "Not Found"}} ... Could not find resource <id> To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1658641/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp