[openstack-dev] [keystone] Liberty - problem with assignment LDAP backend - Groups
Dmitry Sutyagin
dsutyagin at mirantis.com
Thu Apr 21 00:41:58 UTC 2016
Hi everybody,
I am observing the following issue:
LDAP backend is enabled for identity and assignment, domain specific
configs disabled.
LDAP section configured - users, groups, projects and roles are mapped.
I am able to use identity v3 api to list users, groups, to verify that a
user is in a group, and also to view role assignments - everythings looks
correct so far.
I am able to create a role for user in LDAP and if I put a user directly
into a role, everything works.
But when I put a group (which contains that user) into a role - the user
get's 401.
I have found a spot in the code which causes the issue:
https://github.com/openstack/keystone/blob/stable/liberty/keystone/assignment/backends/ldap.py#L67
This check returns False, here is why:
===============================================
group_dns = ['cn=GroupX,ou=Groups,ou=YYY,dc=...']
role_assignment.user_dn = 'cn=UserX,ou=Users,ou=YYY,dc=...'
===============================================
Therefore the check:
====================================
if role_assignment.user_dn.upper() in group_dns
====================================
Will return false. I do not understand how this should work - why should
user_dn match group_dn?
--
Yours sincerely,
Dmitry Sutyagin
OpenStack Escalations Engineer
Mirantis, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160420/7cea3059/attachment.html>
More information about the OpenStack-dev
mailing list