<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 04/20/2016 09:10 PM, Dmitry Sutyagin
wrote:<br>
</div>
<blockquote
cite="mid:CAK--E_4C3yQhCFcaq61kiuS-M9iKB1qs=snOakD_6fo89V7jsA@mail.gmail.com"
type="cite">
<div dir="ltr">Another correction - the issue is observed in Kilo,
not Liberty, sorry for messing this up. (though this part of the
code is identical in L)</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Apr 20, 2016 at 5:50 PM, Dmitry
Sutyagin <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dsutyagin@mirantis.com" target="_blank">dsutyagin@mirantis.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Correction:
<div><br>
</div>
<div>group_dns = [u'CN=GroupX,OU=Groups,OU=SomeOU,DC=zzz']<br>
</div>
<div>ra.user_dn.upper() =
'CN=GROUPX,OU=GROUPS,OU=SOMEOU,DC=ZZZ'<br>
<br>
So this could work if only:</div>
<div>- string in group_dns was str, not unicode</div>
<div>- text was uppercase</div>
<div><br>
</div>
<div>Now the question is - should it be so?</div>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Apr 20, 2016 at 5:41
PM, Dmitry Sutyagin <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dsutyagin@mirantis.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dsutyagin@mirantis.com">dsutyagin@mirantis.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi everybody,
<div><br>
</div>
<div>I am observing the following issue:</div>
<div><br>
</div>
<div>LDAP backend is enabled for identity and
assignment, domain specific configs disabled.</div>
<div>LDAP section configured - users, groups,
projects and roles are mapped.</div>
<div>I am able to use identity v3 api to list
users, groups, to verify that a user is in a
group, and also to view role assignments -
everythings looks correct so far.</div>
<div>I am able to create a role for user in LDAP
and if I put a user directly into a role,
everything works.</div>
<div>But when I put a group (which contains that
user) into a role - the user get's 401.</div>
<div><br>
</div>
<div>I have found a spot in the code which
causes the issue:</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="https://github.com/openstack/keystone/blob/stable/liberty/keystone/assignment/backends/ldap.py#L67"
target="_blank">https://github.com/openstack/keystone/blob/stable/liberty/keystone/assignment/backends/ldap.py#L67</a></div>
<div><br>
</div>
<div>This check returns False, here is why:</div>
<div>===============================================<br>
</div>
<div>group_dns =
['cn=GroupX,ou=Groups,ou=YYY,dc=...']</div>
<div>role_assignment.user_dn =
'cn=UserX,ou=Users,ou=YYY,dc=...'</div>
<div>===============================================<br>
</div>
<div><br>
</div>
<div>Therefore the check:</div>
<div>====================================<br>
</div>
<div>if role_assignment.user_dn.upper() in
group_dns</div>
<div>====================================<br>
</div>
<div>Will return false. I do not understand how
this should work - why should user_dn match
group_dn?</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
I would not advise using the LDAP assignment backend, but rather use
LDAP for identity, and put assignments in SQL. LDAP assignments was
deprecated a few releases ago and has since been removed.<br>
<br>
<br>
<blockquote
cite="mid:CAK--E_4C3yQhCFcaq61kiuS-M9iKB1qs=snOakD_6fo89V7jsA@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><span><font color="#888888">
<div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Yours sincerely,</div>
<div dir="ltr">Dmitry Sutyagin</div>
<div dir="ltr">OpenStack
Escalations Engineer</div>
<div dir="ltr">Mirantis, Inc.</div>
</div>
</div>
</div>
</div>
</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Yours sincerely,</div>
<div dir="ltr">Dmitry Sutyagin</div>
<div dir="ltr">OpenStack Escalations
Engineer</div>
<div dir="ltr">Mirantis, Inc.</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Yours sincerely,</div>
<div dir="ltr">Dmitry Sutyagin</div>
<div dir="ltr">OpenStack Escalations Engineer</div>
<div dir="ltr">Mirantis, Inc.</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>