← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1336769] [NEW] LDAP additional attribute mappings do not care about model attribute

 

Public bug reported:

Additional attribute mappings can be used to map ldap attributes to
internal keystone attributes. This allows keystone to fulfill ldap
objectclass requirements. List of additional LDAP attributes used for
mapping additional attribute mappings for users (or projects). Attribute
mapping format is <ldap_attr>:<model_attr>, where ldap_attr is the
attribute in the LDAP entry and model_attr is the Identity API
attribute. (list value).

So far so good. Now, following next steps:
1- Apply this patch https://review.openstack.org/#/c/91490/

2- Add this parameter to keystone.conf file
tenant_additional_attribute_mapping = objectCategory:notexistingfield1, whenChanged:notexistingfield2

3- Add  'objectCategory' and 'whenChanged' LDAP parameters to Project model on keystone/common/models.py
class Project(Model):
    required_keys = ('id', 'name', 'domain_id')
    optional_keys = ('description', 'enabled', 'objectCategory', 'whenChanged')

4- Restart keystone

5- Execute this in command line:
curl -H "X-Auth-Token:admin_token" http://localhost:5000/v3/projects

Everything works perfectly!. you can see the info of  'objectCategory'
and 'whenChanged' LDAP parameters in the JSON string returned by CURL...
and it should not (I think) works, because "notexistingfield1" and
"notexistingfield2" are not real fields.

I have a mistake in the keystone.conf file and everything is working
properly.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1336769

Title:
  LDAP additional attribute mappings do not care about model attribute

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Additional attribute mappings can be used to map ldap attributes to
  internal keystone attributes. This allows keystone to fulfill ldap
  objectclass requirements. List of additional LDAP attributes used for
  mapping additional attribute mappings for users (or projects).
  Attribute mapping format is <ldap_attr>:<model_attr>, where ldap_attr
  is the attribute in the LDAP entry and model_attr is the Identity API
  attribute. (list value).

  So far so good. Now, following next steps:
  1- Apply this patch https://review.openstack.org/#/c/91490/

  2- Add this parameter to keystone.conf file
  tenant_additional_attribute_mapping = objectCategory:notexistingfield1, whenChanged:notexistingfield2

  3- Add  'objectCategory' and 'whenChanged' LDAP parameters to Project model on keystone/common/models.py
  class Project(Model):
      required_keys = ('id', 'name', 'domain_id')
      optional_keys = ('description', 'enabled', 'objectCategory', 'whenChanged')

  4- Restart keystone

  5- Execute this in command line:
  curl -H "X-Auth-Token:admin_token" http://localhost:5000/v3/projects

  Everything works perfectly!. you can see the info of  'objectCategory'
  and 'whenChanged' LDAP parameters in the JSON string returned by
  CURL... and it should not (I think) works, because "notexistingfield1"
  and "notexistingfield2" are not real fields.

  I have a mistake in the keystone.conf file and everything is working
  properly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1336769/+subscriptions


Follow ups

References