yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #04338
[Bug 1210675] Re: Role lookup fails for Active Directory
** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1210675
Title:
Role lookup fails for Active Directory
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
When using Keystone against an Active Directory server, assigned roles
aren't found for users.
To recreate, set up Keystone to go against Active Directory, create
users and roles, then try to get a token scoped to a project as a
user. It will fail with
User admin is unauthorized for tenant
3c1299e1042a40009691dfb3ad474180 (HTTP 401)
I looked into this a bit, and it looks like the problem is that DNs
aren't being compared correctly.
With Active Directory, when you add a roleOccupant, the DN gets
normalized. For exmample, here I add a "cn=..." dn to an entry, but
when I search to get it back, it's now "CN=..." (the attribute name
has been capitalized).
$ ldapmodify <<EOF
dn: CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups
add: roleOccupant
roleOccupant: cn=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups
EOF
modifying entry
"CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups"
$ ldapsearch -LL -s base \
-b "CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups" \
"(objectclass=organizationalRole)" roleOccupant
version: 1
dn: CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups
roleOccupant: CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3a
d474180,ou=groups
There's suspect code in keystone/assignment/backends/ldap.py:
return [self.role._dn_to_id(a.role_dn)
for a in role_assignments
if a.user_dn == user_dn]
here, user_dn is like 'cn=xxx' and the result user_dn is like 'CN=xxx'
so they don't match.
Keystone needs to do DN comparisons properly, for example by
normalizing.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1210675/+subscriptions