<div dir="ltr">Another correction - the issue is observed in Kilo, not Liberty, sorry for messing this up. (though this part of the code is identical in L)</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 20, 2016 at 5:50 PM, Dmitry Sutyagin <span dir="ltr"><<a href="mailto:dsutyagin@mirantis.com" target="_blank">dsutyagin@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Correction:<div><br></div><div>group_dns = [u'CN=GroupX,OU=Groups,OU=SomeOU,DC=zzz']<br></div><div>ra.user_dn.upper() = 'CN=GROUPX,OU=GROUPS,OU=SOMEOU,DC=ZZZ'<br><br>So this could work if only:</div><div>- string in group_dns was str, not unicode</div><div>- text was uppercase</div><div><br></div><div>Now the question is - should it be so?</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 20, 2016 at 5:41 PM, Dmitry Sutyagin <span dir="ltr"><<a href="mailto:dsutyagin@mirantis.com" target="_blank">dsutyagin@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi everybody,<div><br></div><div>I am observing the following issue:</div><div><br></div><div>LDAP backend is enabled for identity and assignment, domain specific configs disabled.</div><div>LDAP section configured - users, groups, projects and roles are mapped.</div><div>I am able to use identity v3 api to list users, groups, to verify that a user is in a group, and also to view role assignments - everythings looks correct so far.</div><div>I am able to create a role for user in LDAP and if I put a user directly into a role, everything works.</div><div>But when I put a group (which contains that user) into a role - the user get's 401.</div><div><br></div><div>I have found a spot in the code which causes the issue:</div><div><br></div><div><a href="https://github.com/openstack/keystone/blob/stable/liberty/keystone/assignment/backends/ldap.py#L67" target="_blank">https://github.com/openstack/keystone/blob/stable/liberty/keystone/assignment/backends/ldap.py#L67</a></div><div><br></div><div>This check returns False, here is why:</div><div>===============================================<br></div><div>group_dns = ['cn=GroupX,ou=Groups,ou=YYY,dc=...']</div><div>role_assignment.user_dn = 'cn=UserX,ou=Users,ou=YYY,dc=...'</div><div>===============================================<br></div><div><br></div><div>Therefore the check:</div><div>====================================<br></div><div>if role_assignment.user_dn.upper() in group_dns</div><div>====================================<br></div><div>Will return false. I do not understand how this should work - why should user_dn match group_dn?</div><span><font color="#888888"><div><div><br></div>-- <br><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr">Yours sincerely,</div><div dir="ltr">Dmitry Sutyagin</div><div dir="ltr">OpenStack Escalations Engineer</div><div dir="ltr">Mirantis, Inc.</div></div></div></div></div></div>
</div></font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr">Yours sincerely,</div><div dir="ltr">Dmitry Sutyagin</div><div dir="ltr">OpenStack Escalations Engineer</div><div dir="ltr">Mirantis, Inc.</div></div></div></div></div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr">Yours sincerely,</div><div dir="ltr">Dmitry Sutyagin</div><div dir="ltr">OpenStack Escalations Engineer</div><div dir="ltr">Mirantis, Inc.</div></div></div></div></div></div>
</div>