** Changed in: keystone Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1210675
Title: Role lookup fails for Active Directory Status in OpenStack Identity (Keystone): Fix Released Bug description: When using Keystone against an Active Directory server, assigned roles aren't found for users. To recreate, set up Keystone to go against Active Directory, create users and roles, then try to get a token scoped to a project as a user. It will fail with User admin is unauthorized for tenant 3c1299e1042a40009691dfb3ad474180 (HTTP 401) I looked into this a bit, and it looks like the problem is that DNs aren't being compared correctly. With Active Directory, when you add a roleOccupant, the DN gets normalized. For exmample, here I add a "cn=..." dn to an entry, but when I search to get it back, it's now "CN=..." (the attribute name has been capitalized). $ ldapmodify <<EOF dn: CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups add: roleOccupant roleOccupant: cn=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups EOF modifying entry "CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups" $ ldapsearch -LL -s base \ -b "CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups" \ "(objectclass=organizationalRole)" roleOccupant version: 1 dn: CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups roleOccupant: CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3a d474180,ou=groups There's suspect code in keystone/assignment/backends/ldap.py: return [self.role._dn_to_id(a.role_dn) for a in role_assignments if a.user_dn == user_dn] here, user_dn is like 'cn=xxx' and the result user_dn is like 'CN=xxx' so they don't match. Keystone needs to do DN comparisons properly, for example by normalizing. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1210675/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp