[keystone] [stein] user_enabled_emulation config problem
Hello all, I have an issue using user_enabled_emulation with my LDAP solution. I set: user_tree_dn = ou=Users,o=UCO user_objectclass = inetOrgPerson user_id_attribute = uid user_name_attribute = uid user_enabled_emulation = true user_enabled_emulation_dn = cn=Users,ou=Groups,o=UCO user_enabled_emulation_use_group_config = true group_tree_dn = ou=Groups,o=UCO group_objectclass = posixGroup group_id_attribute = cn group_name_attribute = cn group_member_attribute = memberUid group_members_are_ids = true Keystone properly lists members of the Users group but they all remain disabled. Did I misinterpret something? Kind regards, Radek
Hello all, I investigated the case. My issue arises from group_members_are_ids ignored for user_enabled_emulation_use_group_config. I reported a bug in keystone: https://bugs.launchpad.net/keystone/+bug/1839133 and will submit a patch. Hopefully it helps someone else as well. Kind regards, Radek sob., 3 sie 2019 o 20:56 Radosław Piliszek <radoslaw.piliszek@gmail.com> napisał(a):
Hello all,
I have an issue using user_enabled_emulation with my LDAP solution.
I set: user_tree_dn = ou=Users,o=UCO user_objectclass = inetOrgPerson user_id_attribute = uid user_name_attribute = uid user_enabled_emulation = true user_enabled_emulation_dn = cn=Users,ou=Groups,o=UCO user_enabled_emulation_use_group_config = true group_tree_dn = ou=Groups,o=UCO group_objectclass = posixGroup group_id_attribute = cn group_name_attribute = cn group_member_attribute = memberUid group_members_are_ids = true
Keystone properly lists members of the Users group but they all remain disabled. Did I misinterpret something?
Kind regards, Radek
Hi Radosław, On Tue, Aug 6, 2019, at 04:13, Radosław Piliszek wrote:
Hello all,
I investigated the case. My issue arises from group_members_are_ids ignored for user_enabled_emulation_use_group_config. I reported a bug in keystone: https://bugs.launchpad.net/keystone/+bug/1839133 and will submit a patch. Hopefully it helps someone else as well.
Kind regards, Radek
Thanks for the bug report and the patch. I've added the [ops] tag to the subject line of this thread because I'm curious how many other people have tried to use the user_enabled_emulation feature and whether anyone else has run into this problem. I'm seeing similar behavior even when using the groupOfNames objectclass and not using group_members_are_ids, so I'm hesitant to add conditionals based on that configuration. Have you tried this on any other versions of keystone besides Stein? Colleen
sob., 3 sie 2019 o 20:56 Radosław Piliszek <radoslaw.piliszek@gmail.com> napisał(a):
Hello all,
I have an issue using user_enabled_emulation with my LDAP solution.
I set: user_tree_dn = ou=Users,o=UCO user_objectclass = inetOrgPerson user_id_attribute = uid user_name_attribute = uid user_enabled_emulation = true user_enabled_emulation_dn = cn=Users,ou=Groups,o=UCO user_enabled_emulation_use_group_config = true group_tree_dn = ou=Groups,o=UCO group_objectclass = posixGroup group_id_attribute = cn group_name_attribute = cn group_member_attribute = memberUid group_members_are_ids = true
Keystone properly lists members of the Users group but they all remain disabled. Did I misinterpret something?
Kind regards, Radek
Hi Colleen, at least Rocky is affected too. The issue is posixGroup is not a list of DNs (unlike groupOfNames, the default, which is) but IDs - the listing code already took that into account (by group_members_are_ids being on), the emulation code did not. It does not make sense for the two to behave differently when you ask to behave the same (by user_enabled_emulation_use_group_config being on). Kind regards, Radek pt., 9 sie 2019 o 02:31 Colleen Murphy <colleen@gazlene.net> napisał(a):
Hi Radosław,
On Tue, Aug 6, 2019, at 04:13, Radosław Piliszek wrote:
Hello all,
I investigated the case. My issue arises from group_members_are_ids ignored for user_enabled_emulation_use_group_config. I reported a bug in keystone: https://bugs.launchpad.net/keystone/+bug/1839133 and will submit a patch. Hopefully it helps someone else as well.
Kind regards, Radek
Thanks for the bug report and the patch. I've added the [ops] tag to the subject line of this thread because I'm curious how many other people have tried to use the user_enabled_emulation feature and whether anyone else has run into this problem.
I'm seeing similar behavior even when using the groupOfNames objectclass and not using group_members_are_ids, so I'm hesitant to add conditionals based on that configuration.
Have you tried this on any other versions of keystone besides Stein?
Colleen
sob., 3 sie 2019 o 20:56 Radosław Piliszek <radoslaw.piliszek@gmail.com> napisał(a):
Hello all,
I have an issue using user_enabled_emulation with my LDAP solution.
I set: user_tree_dn = ou=Users,o=UCO user_objectclass = inetOrgPerson user_id_attribute = uid user_name_attribute = uid user_enabled_emulation = true user_enabled_emulation_dn = cn=Users,ou=Groups,o=UCO user_enabled_emulation_use_group_config = true group_tree_dn = ou=Groups,o=UCO group_objectclass = posixGroup group_id_attribute = cn group_name_attribute = cn group_member_attribute = memberUid group_members_are_ids = true
Keystone properly lists members of the Users group but they all remain
disabled.
Did I misinterpret something?
Kind regards, Radek
participants (2)
-
Colleen Murphy
-
Radosław Piliszek