Bug 1375685

Summary: Need support for OpenDirectory in LDAP driver in RHOSP 8.0
Product: Red Hat OpenStack Reporter: Jeremy <jmelvin>
Component: openstack-keystoneAssignee: Adam Young <ayoung>
Status: CLOSED ERRATA QA Contact: Rodrigo Duarte <rduartes>
Severity: high Docs Contact:
Priority: high    
Version: 8.0 (Liberty)CC: ayoung, ealcaniz, jdennis, mlopes, mschuppe, nkinder, nlevinki, pablo.iranzo, srevivo
Target Milestone: asyncKeywords: ZStream
Target Release: 8.0 (Liberty)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-keystone-8.0.1-3.el7ost Doc Type: Bug Fix
Doc Text:
In certain cases, directories use the concept of POSIX groups, where the entities of users in the groups are represented as UIDs, not full DNs such as: dn: cn=group1, cn=groups,dc=domain,dc=com .... memberUid: user1 memberUid: user2 .... The LDAP driver was previously hardcoded for full DN entities, for example: dn: cn=group1, cn=groups,dc=domain,dc=com .... memberUid: uid=user1,cn=users,dc=domain,dc=com memberUid: uid=user2,cn=users,dc=domain,dc=com .... This update adds support for LDAP backends using POSIX groups.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-14 19:58:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jeremy 2016-09-13 17:07:49 UTC 
Description of problem: Upstream bug is here: https://bugs.launchpad.net/keystone/+bug/1526462.. It looks like this is fixed in OSP9.0, however we would like a backport to OSP8.0.


Additional info:


It's not possible with OSP 8 because attribute memberUID on posix users does not contain DN defintion.

In OSP 9 there is an existing patch. We backported it in OSP8 and it worked as we wanted. 

Now is it possible to have a support on that modification ?

here is the patch url we used :
https://launchpadlibrarian.net/230115945/keystone_ldap_new.patch


And here is the  diff of the file we ve modified:

diff --git a/keystone/common/config.py b/keystone/common/config.py
index c725026..19245ff 100644
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@@ -825,6 +825,8 @@
                    help='End user auth connection pool size.'),
         cfg.IntOpt('auth_pool_connection_lifetime', default=60,
                    help='End user auth connection lifetime in seconds.'),
+        cfg.StrOpt('user_dn_key', default='dn',
+                   help='Key to extract user dn from LDAP entry'),
     ],
     'auth': [
         cfg.ListOpt('methods', default=_DEFAULT_AUTH_METHODS,
diff --git a/keystone/identity/backends/ldap.py b/keystone/identity/backends/ldap.py
index 0f7ee45..894c2ab 100644
--- a/keystone/identity/backends/ldap.py
+++ b/keystone/identity/backends/ldap.py
@@ -38,6 +38,7 @@
         super(Identity, self).__init__()
         if conf is None:
             conf = CONF
+        self.ldap_user_dn_key = conf.ldap.user_dn_key
         self.user = UserApi(conf)
         self.group = GroupApi(conf)
 
@@ -157,7 +158,7 @@
 
     def list_groups_for_user(self, user_id, hints):
         user_ref = self._get_user(user_id)
-        user_dn = user_ref['dn']
+        user_dn = user_ref['id']
         return self.group.list_user_groups_filtered(user_dn, hints)
 
     def list_groups(self, hints):
@@ -166,7 +167,12 @@
     def list_users_in_group(self, group_id, hints):
         users = []
         for user_dn in self.group.list_group_users(group_id):
-            user_id = self.user._dn_to_id(user_dn)
+            try:
+                user_id = self.user._dn_to_id(user_dn)
+            except ldap.DECODING_ERROR:
+                # OpenDirectory uses different entry layout
+                # and stores user id as it is
+                user_id = user_dn
             try:
                 users.append(self.user.get_filtered(user_id))
             except exception.UserNotFound:

we tested that patch and it works we can connect with an user that belong to a group which is admin on a project.
Comment 4 Adam Young 2016-09-23 18:42:34 UTC 
There are two patches that are required to completely solve this issue according to the launchpad thread:

 https://review.openstack.org/258528  is the patch linked above

The additional changes are:

 https://review.openstack.org/#/c/291497/

which solves a problem described here:


https://bugs.launchpad.net/keystone/+bug/1526462/comments/12
Comment 14 errata-xmlrpc 2016-11-14 19:58:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2711.html