← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #04334

[Bug 1217447] Re: ldap _get_enabled is returning entire groupOfNames object for enabled_users and enabled_tenants

  Thread PreviousDate PreviousThread Next 
** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1217447

Title:
  ldap _get_enabled is returning entire groupOfNames object for
  enabled_users and enabled_tenants

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  If you have 500 users in a tenant, the enabled_users check will return
  a groupOfNames object with 500 user CNs in it.

  example ldapsearch: ldapsearch -x -D "cn=admin,dc=example,dc=com"
  -wpassword -b "cn=enabled_users,ou=Users,dc=example,dc=com"
  "member=cn=6ac4f3701ba144888669b7f9026eb456,ou=Users,dc=example,dc=com"
  -s base

  ***** OUTPUT *****
  # extended LDIF
  #
  # LDAPv3
  # base <cn=enabled_users,ou=Users,dc=rcb,dc=me> with scope baseObject
  # filter: member=cn=6ac4f3701ba144888669b7f9026eb456,ou=Users,dc=rcb,dc=me
  # requesting: ALL
  #

  # enabled_users, Users, example.com
  dn: cn=enabled_users,ou=Users,dc=example,dc=com
  objectClass: groupOfNames
  member: cn=dumb,dc=nonexistent
  member: cn=2c0c7a0ad381465e87faea4209780b93,ou=Users,dc=example,dc=com
  member: cn=6ac4f3701ba144888669b7f9026eb456,ou=Users,dc=example,dc=com
  member: cn=297b9d63b5fa4dcea1f33a21d732d357,ou=Users,dc=example,dc=com
  member: cn=fbe7ecef7bf64631943aed243c8a8740,ou=Users,dc=example,dc=com
  member: cn=2fa87b703eba4d118e8cecd7a9398a59,ou=Users,dc=example,dc=com
  member: cn=079b66e2f49449279e62057f94d0f370,ou=Users,dc=example,dc=com
  member: cn=e0c53180c6c344bc806ba558009258cf,ou=Users,dc=example,dc=com
  member: cn=a7e152918f8c42d18023abb147b129a6,ou=Users,dc=example,dc=com
  member: cn=3278c2b961a547edb7496f023f73eee5,ou=Users,dc=example,dc=com
  member: cn=ea70ba972c334fe39210a35ede37a1ab,ou=Users,dc=example,dc=com
  member: cn=f18cb5cbb6204f44853348abeef8dd9d,ou=Users,dc=example,dc=com
  member: cn=229366aa6ba3444f9bd8392342be81ab,ou=Users,dc=example,dc=com
  member: cn=efe4b41cac284a99a0cf4e0164e29ded,ou=Users,dc=example,dc=com
  member: cn=1f023c493f1241bb9fe02181f134fe13,ou=Users,dc=example,dc=com
  member: cn=a51ce49edc124096ba6dcb88b8ae518d,ou=Users,dc=example,dc=com
  member: cn=07d324f7b86d4fc39572a574953bc4a3,ou=Users,dc=example,dc=com
  ***** SNIP *****
  member: cn=07d6df2e33bf4dafa93ef30a3b77d97f,ou=Users,dc=example,dc=com
  member: cn=c238bf336bc6466db5e92bb9ae68dcde,ou=Users,dc=example,dc=com
  member: cn=12c01d4381e74721b1c46a84b3e56b5a,ou=Users,dc=example,dc=com
  cn: enabled_users

  # search result
  search: 2
  result: 0 Success

  # numResponses: 2
  # numEntries: 1

  The return size increases with the number of users in the tenant (e.g.
  1000 users will return 1000+ rows)

  The ldap query should supply an Attribute List of CN instead of
  returning the entire list.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1217447/+subscriptions
  Thread PreviousDate PreviousThread Next