[openstack-dev] [keystone] Liberty - problem with assignment LDAP backend - Groups

Dmitry Sutyagin dsutyagin at mirantis.com
Thu Apr 21 00:41:58 UTC 2016

Hi everybody,

I am observing the following issue:

LDAP backend is enabled for identity and assignment, domain specific
configs disabled.
LDAP section configured - users, groups, projects and roles are mapped.
I am able to use identity v3 api to list users, groups, to verify that a
user is in a group, and also to view role assignments - everythings looks
correct so far.
I am able to create a role for user in LDAP and if I put a user directly
into a role, everything works.
But when I put a group (which contains that user) into a role - the user
get's 401.

I have found a spot in the code which causes the issue:


This check returns False, here is why:
group_dns = ['cn=GroupX,ou=Groups,ou=YYY,dc=...']
role_assignment.user_dn = 'cn=UserX,ou=Users,ou=YYY,dc=...'

Therefore the check:
if role_assignment.user_dn.upper() in group_dns
Will return false. I do not understand how this should work - why should
user_dn match group_dn?

Yours sincerely,
Dmitry Sutyagin
OpenStack Escalations Engineer
Mirantis, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160420/7cea3059/attachment.html>

More information about the OpenStack-dev mailing list