[keystone] [stein] [ops] user_enabled_emulation config problem

Radosław Piliszek radoslaw.piliszek at gmail.com
Fri Aug 9 06:05:55 UTC 2019


Hi Colleen,

at least Rocky is affected too.

The issue is posixGroup is not a list of DNs (unlike groupOfNames, the
default, which is) but IDs - the listing code already took that into
account (by group_members_are_ids being on), the emulation code did not.
It does not make sense for the two to behave differently when you ask to
behave the same (by user_enabled_emulation_use_group_config being on).

Kind regards,
Radek

pt., 9 sie 2019 o 02:31 Colleen Murphy <colleen at gazlene.net> napisał(a):

> Hi Radosław,
>
> On Tue, Aug 6, 2019, at 04:13, Radosław Piliszek wrote:
> > Hello all,
> >
> > I investigated the case.
> > My issue arises from group_members_are_ids ignored for
> > user_enabled_emulation_use_group_config.
> > I reported a bug in keystone:
> > https://bugs.launchpad.net/keystone/+bug/1839133
> > and will submit a patch.
> > Hopefully it helps someone else as well.
> >
> > Kind regards,
> > Radek
>
> Thanks for the bug report and the patch. I've added the [ops] tag to the
> subject line of this thread because I'm curious how many other people have
> tried to use the user_enabled_emulation feature and whether anyone else has
> run into this problem.
>
> I'm seeing similar behavior even when using the groupOfNames objectclass
> and not using group_members_are_ids, so I'm hesitant to add conditionals
> based on that configuration.
>
> Have you tried this on any other versions of keystone besides Stein?
>
> Colleen
>
> >
> > sob., 3 sie 2019 o 20:56 Radosław Piliszek
> > <radoslaw.piliszek at gmail.com> napisał(a):
> > > Hello all,
> > >
> > > I have an issue using user_enabled_emulation with my LDAP solution.
> > >
> > > I set:
> > > user_tree_dn = ou=Users,o=UCO
> > > user_objectclass = inetOrgPerson
> > > user_id_attribute = uid
> > > user_name_attribute = uid
> > > user_enabled_emulation = true
> > > user_enabled_emulation_dn = cn=Users,ou=Groups,o=UCO
> > > user_enabled_emulation_use_group_config = true
> > > group_tree_dn = ou=Groups,o=UCO
> > > group_objectclass = posixGroup
> > > group_id_attribute = cn
> > > group_name_attribute = cn
> > > group_member_attribute = memberUid
> > > group_members_are_ids = true
> > >
> > > Keystone properly lists members of the Users group but they all remain
> disabled.
> > > Did I misinterpret something?
> > >
> > > Kind regards,
> > > Radek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190809/e29a4926/attachment.html>


More information about the openstack-discuss mailing list