Hide Forgot
Description of problem: Upstream bug is here: https://bugs.launchpad.net/keystone/+bug/1526462.. It looks like this is fixed in OSP9.0, however we would like a backport to OSP8.0. Additional info: It's not possible with OSP 8 because attribute memberUID on posix users does not contain DN defintion. In OSP 9 there is an existing patch. We backported it in OSP8 and it worked as we wanted. Now is it possible to have a support on that modification ? here is the patch url we used : https://launchpadlibrarian.net/230115945/keystone_ldap_new.patch And here is the diff of the file we ve modified: diff --git a/keystone/common/config.py b/keystone/common/config.py index c725026..19245ff 100644 --- a/keystone/common/config.py +++ b/keystone/common/config.py @@ -825,6 +825,8 @@ help='End user auth connection pool size.'), cfg.IntOpt('auth_pool_connection_lifetime', default=60, help='End user auth connection lifetime in seconds.'), + cfg.StrOpt('user_dn_key', default='dn', + help='Key to extract user dn from LDAP entry'), ], 'auth': [ cfg.ListOpt('methods', default=_DEFAULT_AUTH_METHODS, diff --git a/keystone/identity/backends/ldap.py b/keystone/identity/backends/ldap.py index 0f7ee45..894c2ab 100644 --- a/keystone/identity/backends/ldap.py +++ b/keystone/identity/backends/ldap.py @@ -38,6 +38,7 @@ super(Identity, self).__init__() if conf is None: conf = CONF + self.ldap_user_dn_key = conf.ldap.user_dn_key self.user = UserApi(conf) self.group = GroupApi(conf) @@ -157,7 +158,7 @@ def list_groups_for_user(self, user_id, hints): user_ref = self._get_user(user_id) - user_dn = user_ref['dn'] + user_dn = user_ref['id'] return self.group.list_user_groups_filtered(user_dn, hints) def list_groups(self, hints): @@ -166,7 +167,12 @@ def list_users_in_group(self, group_id, hints): users = [] for user_dn in self.group.list_group_users(group_id): - user_id = self.user._dn_to_id(user_dn) + try: + user_id = self.user._dn_to_id(user_dn) + except ldap.DECODING_ERROR: + # OpenDirectory uses different entry layout + # and stores user id as it is + user_id = user_dn try: users.append(self.user.get_filtered(user_id)) except exception.UserNotFound: we tested that patch and it works we can connect with an user that belong to a group which is admin on a project.
There are two patches that are required to completely solve this issue according to the launchpad thread: https://review.openstack.org/258528 is the patch linked above The additional changes are: https://review.openstack.org/#/c/291497/ which solves a problem described here: https://bugs.launchpad.net/keystone/+bug/1526462/comments/12
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2711.html