Any thought on this? Thanks in advance.

Michel

Le 24/01/2024 à 10:29, Michel Jouvin a écrit :
> Hi,
>
> For historical (and bad) resons, we decided 10 years ago when we
> created our cloud that the Keystone LDAP backend will use the CN as
> the user_id_attribute rather than the usual SAMAccountName. Since then
> it has been a source of various problems with CN changes, accented
> characters in CN... We'd like to change it to SAMAccountName but there
> is clearly no easy/supported way of doing it and we are looking for
> some information on the best way to do it and the risks if somebody
> has some clues... It should impact ~30 users so not a huge number...
>
> What we have in mind is basically:
>
> - Change the backend attribute
> - Import new accounts
> - Assign the new accounts to the same projects as the ol accounts,
> with the same role
>
> One of the foreseen problemsis that old and new accounts will share
> the same user_name_attribute, based on SAMAccountName. It is not
> allowed by openstack if I'm right so for the scenario to work we need
> to change the user_name_attribute of old accounts to something
> different (we don't care that the user cannot use the account during
> the transition peroid as long as it doesn't impact active resources).
> Is it enough to update it in the database? We'd prefer to keep the old
> accounts in OpenStack until the end of the transition...
>
> Another minor issue is the reassignment of keypairs to the new
> account. It is poosble to ask the user to reload its public keys but
> we were wondering it there was a not too risky way of doing it for
> him/her by updating the DB (I guess there is no API for this).
>
> Thanks in advance if you have any thought/information to share. Best
> regards.
>
> Michel
>