Public bug reported: This is re: http://lists.openstack.org/pipermail/openstack-discuss/2019-August/008210.html "[keystone] [stein] user_enabled_emulation config problem"
I set: user_tree_dn = ou=Users,o=UCO user_objectclass = inetOrgPerson user_id_attribute = uid user_name_attribute = uid user_enabled_emulation = true user_enabled_emulation_dn = cn=Users,ou=Groups,o=UCO user_enabled_emulation_use_group_config = true group_tree_dn = ou=Groups,o=UCO group_objectclass = posixGroup group_id_attribute = cn group_name_attribute = cn group_member_attribute = memberUid group_members_are_ids = true Keystone properly lists members of the Users group but they all remain disabled. I ran keystone with debug and discovered that it looks for memberUid=<DN> instead of memberUid=<ID>, e.g. memberUid=uid=r.piliszek,ou=Users,o=UCO instead of memberUid=r.piliszek I will submit a proposal with my patch to gerrit but will require some assistance with creating a unit test that fails without patch and works with it. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1839133 Title: LDAP: group_members_are_ids ignored for user_enabled_emulation_use_group_config Status in OpenStack Identity (keystone): New Bug description: This is re: http://lists.openstack.org/pipermail/openstack-discuss/2019-August/008210.html "[keystone] [stein] user_enabled_emulation config problem" I set: user_tree_dn = ou=Users,o=UCO user_objectclass = inetOrgPerson user_id_attribute = uid user_name_attribute = uid user_enabled_emulation = true user_enabled_emulation_dn = cn=Users,ou=Groups,o=UCO user_enabled_emulation_use_group_config = true group_tree_dn = ou=Groups,o=UCO group_objectclass = posixGroup group_id_attribute = cn group_name_attribute = cn group_member_attribute = memberUid group_members_are_ids = true Keystone properly lists members of the Users group but they all remain disabled. I ran keystone with debug and discovered that it looks for memberUid=<DN> instead of memberUid=<ID>, e.g. memberUid=uid=r.piliszek,ou=Users,o=UCO instead of memberUid=r.piliszek I will submit a proposal with my patch to gerrit but will require some assistance with creating a unit test that fails without patch and works with it. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1839133/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp