Open Stack

Correction:

group_dns = [u'CN=GroupX,OU=Groups,OU=SomeOU,DC=zzz']
ra.user_dn.upper() = 'CN=GROUPX,OU=GROUPS,OU=SOMEOU,DC=ZZZ'

So this could work if only:
- string in group_dns was str, not unicode
- text was uppercase

Now the question is - should it be so?

On Wed, Apr 20, 2016 at 5:41 PM, Dmitry Sutyagin <dsutyagin at mirantis.com>
wrote:

> Hi everybody,
>
> I am observing the following issue:
>
> LDAP backend is enabled for identity and assignment, domain specific
> configs disabled.
> LDAP section configured - users, groups, projects and roles are mapped.
> I am able to use identity v3 api to list users, groups, to verify that a
> user is in a group, and also to view role assignments - everythings looks
> correct so far.
> I am able to create a role for user in LDAP and if I put a user directly
> into a role, everything works.
> But when I put a group (which contains that user) into a role - the user
> get's 401.
>
> I have found a spot in the code which causes the issue:
>
>
> https://github.com/openstack/keystone/blob/stable/liberty/keystone/assignment/backends/ldap.py#L67
>
> This check returns False, here is why:
> ===============================================
> group_dns = ['cn=GroupX,ou=Groups,ou=YYY,dc=...']
> role_assignment.user_dn = 'cn=UserX,ou=Users,ou=YYY,dc=...'
> ===============================================
>
> Therefore the check:
> ====================================
> if role_assignment.user_dn.upper() in group_dns
> ====================================
> Will return false. I do not understand how this should work - why should
> user_dn match group_dn?
>
> --
> Yours sincerely,
> Dmitry Sutyagin
> OpenStack Escalations Engineer
> Mirantis, Inc.
>



-- 
Yours sincerely,
Dmitry Sutyagin
OpenStack Escalations Engineer
Mirantis, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160420/03e5704e/attachment.html>