Bug 1459196
Summary: | While using "add" mappingMethod strategy, when the LDAP attribute name has a space, it can't recognize as the same identity and create a new user registry. | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Bruno Andrade <bandrade> |
Component: | apiserver-auth | Assignee: | Jordan Liggitt <jliggitt> |
Status: | CLOSED NOTABUG | QA Contact: | Chuan Yu <chuyu> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.3.0 | CC: | aos-bugs, bandrade, eparis |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-07-01 13:49:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bruno Andrade
2017-06-06 14:01:55 UTC
It appears that the LDAP entries for the users do not have a uid attribute, which means they fall back to using the id attribute (first "dn", then "sAMAccountName") as the preferred username. When you changed the id attribute, it meant the next login retrieved what appeared to be a new identity. It then determined the openshift username for that identity using the sAMAccountName, found that user did not exist, and created it as well. Is the goal to use sAMAccountName as the OpenShift username? If so, you can simply change the preferredUsername attribute to sAMAccountName, and leave the id attribute as dn. Existing users will not change their username, but new users will get a username matching their sAMAccountName. The goal is to use sAMAccountName as Kibana due to a bug with the customer Distinguished Names https://bugzilla.redhat.com/1456584. The problem is that Kibana uses the x-proxy-remote-user header that uses the ID attribute. As the customer already have some users added on Openshift, the purpose was to use mappingMethod ADD to not loose all already added roles. But as I'm seeing the only way to go is delete all users and identities. If you want to change openshift usernames for new users while keeping old users as-is, change the preferredUsername setting, NOT the id setting. Switching back to dn for the id, and using sAMAccountName as the preferredUsername should do what you want for new users |