yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #24870
[Bug 1366020] Re: LDAP Identity does not convert ID to DN for lookup
[Expired for Keystone because there has been no activity for 60 days.]
** Changed in: keystone
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1366020
Title:
LDAP Identity does not convert ID to DN for lookup
Status in OpenStack Identity (Keystone):
Expired
Bug description:
there is a disconnect between how Identity gets users for
Authentication and how it creates users.
When creating a user, deleting a user, etc, the identity code calls:
conn.add_s(self._id_to_dn(values['id']), attrs)
Which attempts to convert an id to a dn two different ways. One is
by composing the DN:
def _id_to_dn_string(self, object_id):
return u'%s=%s,%s' % (self.id_attr,
ldap.dn.escape_dn_chars(
six.text_type(object_id)),
self.tree_dn)
The other is by searching for a record of that objectclass
The difference is whether subtree searches are enabled.
The authenticate code path is different:
def authenticate(self, user_id, password):
try:
user_ref = self._get_user(user_id)
...
def _get_user(self, user_id):
return self.user.get(user_id)
def get(self, object_id, ldap_filter=None):
res = self._ldap_get(object_id, ldap_filter)
def _ldap_get(self, object_id, ldap_filter=None):
conn = self.get_connection()
query = (u'(&(%(id_attr)s=%(id)s)' ....
Note that this second way of finding the object matches the subtree search method.
I think this has worked thus far mostly due to convention: If a DN is of the form:
uid=ayoung,cn....
and the object has the attribute
uid=ayoung
Both searches will match the object. However, if the DN is like this:
CN=ayoung,CN=...
but the user has
CN=Adam
The second will not match.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1366020/+subscriptions
References