** Also affects: keystone (Ubuntu) Importance: Undecided Status: New
** Changed in: keystone (Ubuntu) Status: New => Triaged ** Changed in: keystone (Ubuntu) Importance: Undecided => Medium ** Also affects: keystone (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: keystone (Ubuntu Eoan) Importance: Medium Status: Triaged ** Also affects: keystone (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: keystone (Ubuntu Disco) Importance: Undecided Status: New ** Changed in: keystone (Ubuntu Bionic) Status: New => Triaged ** Changed in: keystone (Ubuntu Cosmic) Status: New => Triaged ** Changed in: keystone (Ubuntu Disco) Status: New => Triaged ** Changed in: keystone (Ubuntu Cosmic) Importance: Undecided => Medium ** Changed in: keystone (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: keystone (Ubuntu Disco) Importance: Undecided => Medium ** Also affects: cloud-archive Importance: Undecided Status: New ** Also affects: cloud-archive/stein Importance: Undecided Status: New ** Also affects: cloud-archive/queens Importance: Undecided Status: New ** Also affects: cloud-archive/train Importance: Undecided Status: New ** Also affects: cloud-archive/rocky Importance: Undecided Status: New ** Changed in: cloud-archive/queens Importance: Undecided => Medium ** Changed in: cloud-archive/queens Status: New => Triaged ** Changed in: cloud-archive/rocky Importance: Undecided => Medium ** Changed in: cloud-archive/rocky Status: New => Triaged ** Changed in: cloud-archive/stein Importance: Undecided => Medium ** Changed in: cloud-archive/stein Status: New => Triaged ** Changed in: cloud-archive/train Importance: Undecided => Medium ** Changed in: cloud-archive/train Status: New => Triaged -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1782922 Title: LDAP: changing user_id_attribute bricks group mapping Status in Ubuntu Cloud Archive: Triaged Status in Ubuntu Cloud Archive queens series: Triaged Status in Ubuntu Cloud Archive rocky series: Triaged Status in Ubuntu Cloud Archive stein series: Triaged Status in Ubuntu Cloud Archive train series: Triaged Status in OpenStack Identity (keystone): In Progress Status in keystone package in Ubuntu: Triaged Status in keystone source package in Bionic: Triaged Status in keystone source package in Cosmic: Triaged Status in keystone source package in Disco: Triaged Status in keystone source package in Eoan: Triaged Bug description: Env Details: Openstack version: Queens (17.0.5) OS: CentOS 7.5 LDAP: Active Directory, Windows Server 2012R2 We changed the user_id_attribute to sAMAccountName when configuring keystone. [ user_id_attribute = "sAMAccountName" ; group_members_are_ids = False ]. Unfortunately this bricks the group mapping logic in keystone. The relevant code in keystone: `list_users_in_group` [1] -> gets all groups from the LDAP server, and then calls `_transform_group_member_ids`. `_transform_group_member_ids` tries to match the user ids (for posixGroups e.g.) or the DN. However DN matching does not match the full DN. It rather takes the first RDN of the DN and computes the keystone user id [2]. The first RDN in Active Directory is the "CN". While the user-create part honors the user_id_attribute and takes "sAMAccountName" in our configuration. The generated user-ids in keystone now do not match anymore and hence group mapping is broken. A fix could be looking up the user by the DN received from the 'member' attribute of a given group and compare the configured 'user_id_attribute' of the received ldap user id and the in keystone stored user id. A quick fix could also be to mention that behavior in the documentation. /e: related https://bugs.launchpad.net/keystone/+bug/1231488/comments/19 [1] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1285 [2] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L126 [3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1296 To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1782922/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp