[openstack-dev] [keystone] All LDAP users returned using keystone v3/users API

Anna A Sortland annasort at us.ibm.com
Fri Mar 14 19:33:45 UTC 2014

Hi Nathan, 
I agree that we should be using filters on LDAP search whenever possible. 
I still believe it is a valid use case for a new 'roles' API to retrieve 
users with role grants and I am not sure it is possible to do without 
querying LDAP for one user at a time. 

Anna Sortland
Cloud Systems Software Development
IBM Rochester, MN
annasort at us.ibm.com

From:   Nathan Kinder <nkinder at redhat.com>
To:     "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev at lists.openstack.org>, 
Date:   03/13/2014 09:50 PM
Subject:        Re: [openstack-dev] [keystone] All LDAP users returned 
using keystone v3/users API

On 03/13/2014 08:36 AM, Anna A Sortland wrote:
> [A] The current keystone LDAP community driver returns all users that
> exist in LDAP via the API call v3/users, instead of returning just users
> that have role grants (similar processing is true for groups). This
> could potentially be a very large number of users. We have seen large
> companies with LDAP servers containing hundreds and thousands of users.
> We are aware of the filters available in keystone.conf
> ([ldap].user_filter and [ldap].query_scope) to cut down on the number of
> results, but they do not provide sufficient filtering (for example, it
> is not possible to set user_filter to members of certain known groups
> for OpenLDAP without creating a memberOf overlay on the LDAP server).
> [Nathan Kinder] What attributes would you filter on?  It seems to me
> that LDAP would need to have knowledge of the roles to be able to filter
> based on the roles.  This is not necessarily the case, as identity and
> assignment can be split in Keystone such that identity is in LDAP and
> role assignment is in SQL.  I believe it was designed this way to deal
> with deployments
> where LDAP already exists and there is no need (or possibility) of
> adding role info into LDAP.
> [A] That's our main use case. The users and groups are in LDAP and role
> assignments are in SQL.
> You would filter on role grants and this information is in SQL backend.
> So new API would need to query both identity and assignment drivers.
> [Nathan Kinder] Without filtering based on a role attribute in LDAP, I
> don't think that there is a good solution if you have OpenStack and
> non-OpenStack users mixed in the same container in LDAP.
> If you want to first find all of the users that have a role assigned to
> them in the assignments backend, then pull their information from LDAP,
> I think that you will end up with one LDAP search operation per user.
> This also isn't a very scalable solution.
> [A] What was the reason the LDAP driver was written this way, instead of
> returning just the users that have OpenStack-known roles? Was the
> creation of a separate API for this function considered?
> Are other exploiters of OpenStack (or users of Horizon) experiencing
> this issue? If so, what was their approach to overcome this issue? We
> have been prototyping a keystone extension that provides an API that
> provides this filtering capability, but it seems like a function that
> should be generally available in keystone.
> [Nathan Kinder] I'm curious to know how your prototype is looking to
> handle this.
> [A] The prototype basically first calls assignment API
> list_role_assignments() to get a list of users and groups with role
> grants. It then iterates the retrieved list and calls identity API
> list_users_in_group() to get the list of users in these groups with
> grants and get_user() to get users that have role grants but do not
> belong to the groups with role grants (a call for each user). Both calls
> ignore groups and users that are not found in the LDAP registry but
> exist in SQL (this could be the result of a user or group being removed
> from LDAP, but the corresponding role grant was not revoked). Then the
> code removes duplicates if any and returns the combined list.

My main concern about this is that you have a single LDAP search
operation per user.  This will get you the correct results, but it isn't
very efficient for the LDAP server if you have a large number of users.
 Performing a single LDAP search operation will perform better if there
is some attribute you can use to filter on, as the connection handling
and operation parsing overhead will be much less.  If you are unable to
add an attribute in LDAP that identifies users that Keystone should list
(such as memberOf), you may not have much choice other than your proposal.

> The new extension API is /v3/my_new_extension/users. Maybe the better
> naming would be v3/roles/users (list users with any role) - compare to
> existing v3/roles/​{role_id}​/users  (list users with a specified 
> Another alternative that we've tried is just a new identity driver that
> inherits from keystone.identity.backends.ldap.LDAPIdentity and overrides
> just the list_users() function. That's probably not the best approach
> from OpenStack standards point of view but I would like to get
> community's feedback on whether this is acceptable.
> I've posted this question to openstack-security last week but could not
> get any feedback after Nathan's first reply. Reposting to 

Sorry for the delay in replying.  This list is a better place to discuss
this anyway, as you will get more visibility.

> Anna Sortland
> Cloud Systems Software Development
> IBM Rochester, MN
> annasort at us.ibm.com
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140314/446a61a4/attachment.html>

More information about the OpenStack-dev mailing list