yahoo-eng-team team mailing list archive

[Guang Yee <1489105@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Our LDAP lookup users in group logic assumes that the member attribute
contains the user DN.

https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py#L168

However, this is not the case for posixGroup (RFC 2307) where the
memberUid is really the uid of the user, not the DN.

Similarly, when looking up groups for a user, we are assuming the member
attribute contains the user DN

https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py#L364

This is not the case for posixAccount where user group membership is
done via uidNumber. In this case, we should first lookup the uidNumber,
then use it to construct the LDAP query to lookup the groups for the
user.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1489105

Title:
  group membership lookup does not support posixGroup (RFC2307)

Status in Keystone:
  New

Bug description:
  Our LDAP lookup users in group logic assumes that the member attribute
  contains the user DN.

  https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py#L168

  However, this is not the case for posixGroup (RFC 2307) where the
  memberUid is really the uid of the user, not the DN.

  Similarly, when looking up groups for a user, we are assuming the
  member attribute contains the user DN

  https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py#L364

  This is not the case for posixAccount where user group membership is
  done via uidNumber. In this case, we should first lookup the
  uidNumber, then use it to construct the LDAP query to lookup the
  groups for the user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1489105/+subscriptions