[openstack-dev] [keystone] Liberty - problem with assignment LDAP backend - Groups
dsutyagin at mirantis.com
Thu Apr 21 00:50:08 UTC 2016
group_dns = [u'CN=GroupX,OU=Groups,OU=SomeOU,DC=zzz']
ra.user_dn.upper() = 'CN=GROUPX,OU=GROUPS,OU=SOMEOU,DC=ZZZ'
So this could work if only:
- string in group_dns was str, not unicode
- text was uppercase
Now the question is - should it be so?
On Wed, Apr 20, 2016 at 5:41 PM, Dmitry Sutyagin <dsutyagin at mirantis.com>
> Hi everybody,
> I am observing the following issue:
> LDAP backend is enabled for identity and assignment, domain specific
> configs disabled.
> LDAP section configured - users, groups, projects and roles are mapped.
> I am able to use identity v3 api to list users, groups, to verify that a
> user is in a group, and also to view role assignments - everythings looks
> correct so far.
> I am able to create a role for user in LDAP and if I put a user directly
> into a role, everything works.
> But when I put a group (which contains that user) into a role - the user
> get's 401.
> I have found a spot in the code which causes the issue:
> This check returns False, here is why:
> group_dns = ['cn=GroupX,ou=Groups,ou=YYY,dc=...']
> role_assignment.user_dn = 'cn=UserX,ou=Users,ou=YYY,dc=...'
> Therefore the check:
> if role_assignment.user_dn.upper() in group_dns
> Will return false. I do not understand how this should work - why should
> user_dn match group_dn?
> Yours sincerely,
> Dmitry Sutyagin
> OpenStack Escalations Engineer
> Mirantis, Inc.
OpenStack Escalations Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev