yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1210141] Re: Document howto config LDAP identity with non-DN based ids.

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Marek Denis <marek.denis@xxxxxxx>
Date: Mon, 06 Jul 2015 06:08:25 -0000
Reply-to: Bug 1210141 <1210141@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1210141

Title:
  Document howto config LDAP identity with non-DN based ids.

Status in OpenStack Identity (Keystone):
  Won't Fix

Bug description:
  I can successfully configure keystone LDAP settings to authenticate
  against Active Directory using the cn attribute of the user account as
  the user_id_attribute (i.e. user_id_attribute = cn in keystone.conf).
  However, in my (and most) Active Directory deployments, the cn is not
  used as the login ID.  Instead, other attributes such as
  samAccountName or userPrincipalName are used for login.  In Activev
  Directory, cn is commonly populated with the user's full name.

  When I try to use samAccountName (i.e. user_id_attribute =
  samAccountName) then authentication fails.

  The search bit works fine:

  2013-08-08 09:43:23    DEBUG [keystone.common.ldap.core] LDAP search:
  dn=cn=Users,dc=seltzer,dc=net, scope=1,
  query=(&(samAccountName=seltzb01a)(objectClass=organizationalPerson)),
  attrs=['businessCategory', 'userPassword', 'userAccountControl',
  'mail', 'cn']

  But the subsequent bind fails when the code appears to build an
  invalid dn and tries to bind with it as shown below:

  2013-08-08 09:43:23    DEBUG [keystone.common.ldap.core] LDAP bind:
  dn=samAccountName=myaccount,cn=Users,dc=mydomain,dc=net

  The dn should start with cn= not samAccountName=.  The code should
  search for a user object by samAccountName and return the correct dn
  to be used for the bind.  Since the dn is invalid, the bind fails and
  authentication fails.

  Invalid user / password (HTTP 401)

  I'm not sure if this is all within the keystone ldap provider code or
  in some dependant LDAP code.  Any help would be much appreciated.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1210141/+subscriptions