Bug 1465479 - LDAP id rather then preferredUsername as default name
LDAP id rather then preferredUsername as default name
Status: CLOSED NOTABUG
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
3.5.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Jordan Liggitt
Chuan Yu
: UpcomingRelease
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-27 09:57 EDT by Vladislav Walek
Modified: 2017-06-28 04:52 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-28 04:52:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vladislav Walek 2017-06-27 09:57:18 EDT
Description of problem:

Customer is running OpenShift with active directory as ldap provider. Username is set to object sAMAccountname. The preferredUsername in openshift is also configured to the sAMAccountname.  However, when user login to openshift for the first time, the user and identity is created, but the name of the user is set to the CN and not to the sAMAccountname.

The master-config looks like this:
    provider:
      apiVersion: v1
      attributes:
        email:
        - mail
        id:
        - cn
        name:
        - cn
        preferredUsername:
        - sAMAccountname
      bindDN: openshift
      bindPassword: *******
      insecure: true
      kind: LDAPPasswordIdentityProvider
      url: ldap://ldap.example.com/DC=company,DC=example,DC=com?sAMAccountname

Where the ldap looks like:
sAMAccountname=asdf1234
cn=Hans Gruber
dn=cn=Hans Gruber,dc=company,dc=example,dc=com

The oc users looks:
NAME       UID       FULL NAME       IDENTITY
Hans Gruber 1234..2134  Hans Gruber    ldap_provider:cn=Hans Gruber

but it should look like this (according the preferred username)
NAME       UID       FULL NAME       IDENTITY
asdf1234 1234..2134  Hans Gruber    ldap_provider:cn=Hans Gruber

I did test with customer and one thing which could cause that problem was 'id' object in openshift master config. It is set to 'cn' rather than 'dn'.
After changing the id to 'dn', strange thing happened. The oc users now was showing as name the dn and not the cn as before:
NAME       UID       FULL NAME       IDENTITY
cn=Hans Gruber,dc=company,dc=example,dc=com 1234..2134  Hans Gruber    ldap_provider:cn=Hans Gruber,dc=company,dc=example,dc=com

So my conclusion from this test is, that param "NAME" in oc users takes the id from the ldap provider rather than preferredUsername.

We did also another test, and change the id to the sAMAcccountname. However, after that (user and identity removed before) the user gets "500 Internal Server error" error message.

Version-Release number of selected component (if applicable):
OpenShift Container Platform 3.5

How reproducible:
Check the configuration above. 

Steps to Reproduce:
1.
2.
3.

Actual results:
# oc get users

NAME       UID       FULL NAME       IDENTITY
Hans Gruber 1234..2134  Hans Gruber    ldap_provider:cn=Hans Gruber

Expected results:
# oc get users 

NAME       UID       FULL NAME       IDENTITY
asdf1234 1234..2134  Hans Gruber    ldap_provider:cn=Hans Gruber

Additional info:
Also I found that the identity doesn't contain extra param preferred_username.
Comment 1 Jordan Liggitt 2017-06-27 12:53:52 EDT
If the LDAP attribute specified for the preferredUsername is not found, the attribute specified as the id is used.

LDAP attribute names are case-sensitive. Note the correct case of the sAMAccountName attribute contains an upper-case N

Note You need to log in before you can comment on or make changes to this bug.