Public bug reported: The 'group_member_attribute' is used in Keystone when looking for groups in LDAP to find membership. But, when using 'user_enable_emulation', the following code in keystone/common/ldap/core.py instead references a hard coded 'member' entry instead of 'group_member_attribute'.
--- def _get_enabled(self, object_id): dn = self._id_to_dn(object_id) query = '(member=%s)' % dn <---- Here with self.get_connection() as conn: try: enabled_value = conn.search_s(self.enabled_emulation_dn, ldap.SCOPE_BASE, query, ['cn']) except ldap.NO_SUCH_OBJECT: return False else: return bool(enabled_value) --- As a result, when integrating Keystone with an LDAP back-end and using the 'enabled_user_emulation' feature with a group for which the membership attribute is 'uniquemember', users are listed as not enabled. ** Affects: keystone Importance: Undecided Assignee: Nathan Kinder (nkinder) Status: New ** Changed in: keystone Assignee: (unassigned) => Nathan Kinder (nkinder) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1515302 Title: Group membership attribute is hard-coded when using 'user_enable_emulation' Status in OpenStack Identity (keystone): New Bug description: The 'group_member_attribute' is used in Keystone when looking for groups in LDAP to find membership. But, when using 'user_enable_emulation', the following code in keystone/common/ldap/core.py instead references a hard coded 'member' entry instead of 'group_member_attribute'. --- def _get_enabled(self, object_id): dn = self._id_to_dn(object_id) query = '(member=%s)' % dn <---- Here with self.get_connection() as conn: try: enabled_value = conn.search_s(self.enabled_emulation_dn, ldap.SCOPE_BASE, query, ['cn']) except ldap.NO_SUCH_OBJECT: return False else: return bool(enabled_value) --- As a result, when integrating Keystone with an LDAP back-end and using the 'enabled_user_emulation' feature with a group for which the membership attribute is 'uniquemember', users are listed as not enabled. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1515302/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp