yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #27648
[Bug 1415271] Re: user_enabled_attribute string support is poor
** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1415271
Title:
user_enabled_attribute string support is poor
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone juno series:
In Progress
Bug description:
When attempting to authenticate with our ldap, we were running into
trouble getting the right value to show up for the user's enabled
attribute.
The result from ldap was:
[('uid=123456789,c=us,ou=our_ldap,o=ibm.com', {'mail': ['shaun@xxxxxxxx'], 'passwordisexpired': ['false'], 'uid': ['123456789']})]
which is turned into:
[(u'uid=123456789,c=us,ou=our_ldap,o=ibm.com', {'mail': [u'shaun@xxxxxxxx'], 'passwordisexpired': [u'false'], 'uid': [123456789]})]
the _ldap_res_to_model function in ldap/core.py seems to be OK, but
the same one at the identity backend for ldap seems to have a few
bugs:
the object before:
{'email': u'shaun@xxxxxxxx', 'enabled': u'false', 'id': 123456789, 'name': u'shaun@xxxxxxxx'}
the object after:
{'dn': u'uid=123456789,c=us,ou=our_ldap,o=ibm.com', 'email': u'shaun@xxxxxxxx', 'enabled': False, 'id': 123456789, 'name': u'shaun@xxxxxxxx'}
Note that the enabled field is still False, just a boolean now instead
of string.
Looks like at:
https://github.com/openstack/keystone/blob/stable/juno/keystone/identity/backends/ldap.py#L223-L227
The check for if type(str) is insufficient, and calling lower, without
the parentheses is pointless.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1415271/+subscriptions
References