[openstack-dev] [keystone] LDAP user_id_attribute does not affect groups

Boris Kudryavtsev bkudryavtsev at mirantis.com
Wed May 17 21:00:58 UTC 2017

Hello OpenStack-dev,

I am running Keystone in a virtual environment with LDAP backend.
When user_id_attribute is set to sn (and the LDAP directory is
configured accordingly),
`openstack user list --domain default --group test-group` results in
`Group member `userid` for group `f44a7fbb9e174ba5823474c759d43643`
not found in the directory.
The user should be removed from the group. The user will be ignored.`
for a groupOfNames that has userid as a member.

However, `openstack user list` works OK and lists all user names and ids.

Outputs: http://paste.openstack.org/show/609820/

It seems that the problem is here:

cn is used as the id attribute regardless of configuration in

keystone.conf: http://paste.openstack.org/show/609845/
LDAP directory: http://paste.openstack.org/show/609846/

Any ideas? This smells of a bug.

Boris Kudryavtsev

More information about the OpenStack-dev mailing list