[openstack-dev] [keystone] Liberty - problem with assignment LDAP backend - Groups
dsutyagin at mirantis.com
Thu Apr 21 00:41:58 UTC 2016
I am observing the following issue:
LDAP backend is enabled for identity and assignment, domain specific
LDAP section configured - users, groups, projects and roles are mapped.
I am able to use identity v3 api to list users, groups, to verify that a
user is in a group, and also to view role assignments - everythings looks
correct so far.
I am able to create a role for user in LDAP and if I put a user directly
into a role, everything works.
But when I put a group (which contains that user) into a role - the user
I have found a spot in the code which causes the issue:
This check returns False, here is why:
group_dns = ['cn=GroupX,ou=Groups,ou=YYY,dc=...']
role_assignment.user_dn = 'cn=UserX,ou=Users,ou=YYY,dc=...'
Therefore the check:
if role_assignment.user_dn.upper() in group_dns
Will return false. I do not understand how this should work - why should
user_dn match group_dn?
OpenStack Escalations Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev