yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1210675] Re: Role lookup fails for Active Directory

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 05 Sep 2013 09:25:04 -0000
Reply-to: Bug 1210675 <1210675@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1210675

Title:
  Role lookup fails for Active Directory

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  When using Keystone against an Active Directory server, assigned roles
  aren't found for users.

  To recreate, set up Keystone to go against Active Directory, create
  users and roles, then try to get a token scoped to a project as a
  user. It will fail with

   User admin is unauthorized for tenant
  3c1299e1042a40009691dfb3ad474180 (HTTP 401)

  I looked into this a bit, and it looks like the problem is that DNs
  aren't being compared correctly.

  With Active Directory, when you add a roleOccupant, the DN gets
  normalized. For exmample, here I add a "cn=..." dn to an entry, but
  when I search to get it back, it's now "CN=..." (the attribute name
  has been capitalized).

  $ ldapmodify <<EOF
  dn: CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups
  add: roleOccupant
  roleOccupant: cn=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups
  EOF

  modifying entry
  "CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups"

  $ ldapsearch -LL -s base \
      -b "CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups" \
      "(objectclass=organizationalRole)" roleOccupant
  version: 1

  dn: CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3ad474180,ou=groups
  roleOccupant: CN=8bd9f13ac6cf43f7ac85fd95c66d0a4b,CN=3c1299e1042a40009691dfb3a
   d474180,ou=groups

  There's suspect code in keystone/assignment/backends/ldap.py:

              return [self.role._dn_to_id(a.role_dn)
                      for a in role_assignments
                      if a.user_dn == user_dn]

  here, user_dn is like 'cn=xxx' and the result user_dn is like 'CN=xxx'
  so they don't match.

  Keystone needs to do DN comparisons properly, for example by
  normalizing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1210675/+subscriptions