[openstack-dev] [keystone] LDAP user_id_attribute does not affect groups

Boris Kudryavtsev bkudryavtsev at mirantis.com
Wed May 17 21:00:58 UTC 2017


Hello OpenStack-dev,

I am running Keystone in a virtual environment with LDAP backend.
When user_id_attribute is set to sn (and the LDAP directory is
configured accordingly),
`openstack user list --domain default --group test-group` results in
`Group member `userid` for group `f44a7fbb9e174ba5823474c759d43643`
not found in the directory.
The user should be removed from the group. The user will be ignored.`
for a groupOfNames that has userid as a member.

However, `openstack user list` works OK and lists all user names and ids.

Outputs: http://paste.openstack.org/show/609820/

It seems that the problem is here:
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1280

cn is used as the id attribute regardless of configuration in
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L126.

keystone.conf: http://paste.openstack.org/show/609845/
LDAP directory: http://paste.openstack.org/show/609846/

Any ideas? This smells of a bug.

Boris Kudryavtsev



More information about the OpenStack-dev mailing list