Bug 1439439
| Summary: | OpenShift with LDAP (active directory) auth is showing identities with non printable chars | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Kenjiro Nakayama <knakayam> |
| Component: | apiserver-auth | Assignee: | Mo <mkhan> |
| Status: | CLOSED WONTFIX | QA Contact: | Chuan Yu <chuyu> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.4.1 | CC: | ahardin, aos-bugs, dranders, eparis, erich, jliggitt, jpazdziora, knakayam, mfojtik, mkhan, pweil, ssorce, tatanaka |
| Target Milestone: | --- | Keywords: | OpsBlocker, Reopened |
| Target Release: | 3.7.0 | Flags: | mkhan:
needinfo-
|
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-02-26 16:05:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Kenjiro Nakayama
2017-04-06 02:01:13 UTC
Ping? I updated the Priority and Severity to high as I have another customer's case that the new user can't log in to OpenShift due to this BZ. Do you have any workarounds? The behind customer wants to change objectGUID to sAMAccountName in order to workaround this issue. As far as my understanding, it has no side effect. Could you double-check this workaround is safe? Does it make sense to work on converting objectGUID, or perhaps all binary attributes, to string representation (hex values or something)? FWIW, I've asked how SSSD does it and the answer is: SSSD stores objectGUID as well as the SID in the string representation in the cache. Not sure if this is 'best practice' but that how we currently do it. The main reason is that from the SSSD point of view those values are either searched for with the string representation as input or the values should be displayed. In both cases storing them as strings helps to avoid some conversions. Given identities are meant to be printable strings in general and that usually there are unique printable attributes in LDAP directories (samAccoutName for example in AD), and given the fact a change in this area would be both non-trivial and potentially backwards incompatible, we think the change in documentation[1] about not using binary attributes should be sufficient. So I am going to close this bug as WONTFIX, please reopen if necessary. [1] https://github.com/openshift/openshift-docs/pull/5343 Let me reinforce this. The default configuration we support uses the sAMAccountName field. This is the field that fundamentally *all* software interacting with AD uses to represent a user in AD in normal circumstances. Other fields can *optionaly* be used as long as they are TEXT attributes (both ASCII and Unicode are fine). Using binary attributes is not supported and also not necessary in normal AD installations and will, most likely, not be supported in future by our LDAP backend. NOTE: If the customer has special needs around attribute trasformation, they may consider using a SAML/OIDC Idp (like ADFS, Keycloak, etc..) instead of the LDAP Idp. Assuming that those tool give them the ability to use arbitrary attributes and transforms binary ones into a text ID. |