1375685 – Need support for OpenDirectory in LDAP driver in RHOSP 8.0

Bug 1375685 - Need support for OpenDirectory in LDAP driver in RHOSP 8.0

Summary: Need support for OpenDirectory in LDAP driver in RHOSP 8.0

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone
Sub Component:
Version:	8.0 (Liberty)
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	async
Target Release:	8.0 (Liberty)
Assignee:	Adam Young
QA Contact:	Rodrigo Duarte
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-13 17:07 UTC by Jeremy
Modified:	2019-12-16 06:45 UTC (History)
CC List:	9 users (show)
Fixed In Version:	openstack-keystone-8.0.1-3.el7ost
Doc Type:	Bug Fix
Doc Text:	In certain cases, directories use the concept of POSIX groups, where the entities of users in the groups are represented as UIDs, not full DNs such as: dn: cn=group1, cn=groups,dc=domain,dc=com .... memberUid: user1 memberUid: user2 .... The LDAP driver was previously hardcoded for full DN entities, for example: dn: cn=group1, cn=groups,dc=domain,dc=com .... memberUid: uid=user1,cn=users,dc=domain,dc=com memberUid: uid=user2,cn=users,dc=domain,dc=com .... This update adds support for LDAP backends using POSIX groups.
Clone Of:
Environment:
Last Closed:	2016-11-14 19:58:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2621281	0	None	None	None	2016-09-21 07:21:11 UTC
Red Hat Product Errata	RHBA-2016:2711	0	normal	SHIPPED_LIVE	openstack-keystone bug fix advisory	2016-11-15 00:54:30 UTC

Description Jeremy 2016-09-13 17:07:49 UTC

Description of problem: Upstream bug is here: https://bugs.launchpad.net/keystone/+bug/1526462.. It looks like this is fixed in OSP9.0, however we would like a backport to OSP8.0.


Additional info:


It's not possible with OSP 8 because attribute memberUID on posix users does not contain DN defintion.

In OSP 9 there is an existing patch. We backported it in OSP8 and it worked as we wanted. 

Now is it possible to have a support on that modification ?

here is the patch url we used :
https://launchpadlibrarian.net/230115945/keystone_ldap_new.patch


And here is the  diff of the file we ve modified:

diff --git a/keystone/common/config.py b/keystone/common/config.py
index c725026..19245ff 100644
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@@ -825,6 +825,8 @@
                    help='End user auth connection pool size.'),
         cfg.IntOpt('auth_pool_connection_lifetime', default=60,
                    help='End user auth connection lifetime in seconds.'),
+        cfg.StrOpt('user_dn_key', default='dn',
+                   help='Key to extract user dn from LDAP entry'),
     ],
     'auth': [
         cfg.ListOpt('methods', default=_DEFAULT_AUTH_METHODS,
diff --git a/keystone/identity/backends/ldap.py b/keystone/identity/backends/ldap.py
index 0f7ee45..894c2ab 100644
--- a/keystone/identity/backends/ldap.py
+++ b/keystone/identity/backends/ldap.py
@@ -38,6 +38,7 @@
         super(Identity, self).__init__()
         if conf is None:
             conf = CONF
+        self.ldap_user_dn_key = conf.ldap.user_dn_key
         self.user = UserApi(conf)
         self.group = GroupApi(conf)
 
@@ -157,7 +158,7 @@
 
     def list_groups_for_user(self, user_id, hints):
         user_ref = self._get_user(user_id)
-        user_dn = user_ref['dn']
+        user_dn = user_ref['id']
         return self.group.list_user_groups_filtered(user_dn, hints)
 
     def list_groups(self, hints):
@@ -166,7 +167,12 @@
     def list_users_in_group(self, group_id, hints):
         users = []
         for user_dn in self.group.list_group_users(group_id):
-            user_id = self.user._dn_to_id(user_dn)
+            try:
+                user_id = self.user._dn_to_id(user_dn)
+            except ldap.DECODING_ERROR:
+                # OpenDirectory uses different entry layout
+                # and stores user id as it is
+                user_id = user_dn
             try:
                 users.append(self.user.get_filtered(user_id))
             except exception.UserNotFound:

we tested that patch and it works we can connect with an user that belong to a group which is admin on a project.

Comment 4 Adam Young 2016-09-23 18:42:34 UTC

There are two patches that are required to completely solve this issue according to the launchpad thread:

 https://review.openstack.org/258528  is the patch linked above

The additional changes are:

 https://review.openstack.org/#/c/291497/

which solves a problem described here:


https://bugs.launchpad.net/keystone/+bug/1526462/comments/12

Comment 14 errata-xmlrpc 2016-11-14 19:58:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2711.html

Note You need to log in before you can comment on or make changes to this bug.