yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1515302] [NEW] Group membership attribute is hard-coded when using 'user_enable_emulation'

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Wed, 11 Nov 2015 15:13:54 -0000
Reply-to: Bug 1515302 <1515302@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The 'group_member_attribute' is used in Keystone when looking for groups
in LDAP to find membership. But, when using 'user_enable_emulation', the
following code in keystone/common/ldap/core.py instead references a hard
coded 'member' entry instead of 'group_member_attribute'.

---
	def _get_enabled(self, object_id):
		dn = self._id_to_dn(object_id)
		query = '(member=%s)' % dn         <---- Here
		with self.get_connection() as conn:
			try:
				enabled_value = conn.search_s(self.enabled_emulation_dn,
											  ldap.SCOPE_BASE,
											  query, ['cn'])
			except ldap.NO_SUCH_OBJECT:
				return False
			else:
				return bool(enabled_value)
---

As a result, when integrating Keystone with an LDAP back-end and using
the 'enabled_user_emulation' feature with a group for which the
membership attribute is 'uniquemember', users are listed as not enabled.

** Affects: keystone
     Importance: Undecided
     Assignee: Nathan Kinder (nkinder)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => Nathan Kinder (nkinder)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1515302

Title:
  Group membership attribute is hard-coded when using
  'user_enable_emulation'

Status in OpenStack Identity (keystone):
  New

Bug description:
  The 'group_member_attribute' is used in Keystone when looking for
  groups in LDAP to find membership. But, when using
  'user_enable_emulation', the following code in
  keystone/common/ldap/core.py instead references a hard coded 'member'
  entry instead of 'group_member_attribute'.

  ---
  	def _get_enabled(self, object_id):
  		dn = self._id_to_dn(object_id)
  		query = '(member=%s)' % dn         <---- Here
  		with self.get_connection() as conn:
  			try:
  				enabled_value = conn.search_s(self.enabled_emulation_dn,
  											  ldap.SCOPE_BASE,
  											  query, ['cn'])
  			except ldap.NO_SUCH_OBJECT:
  				return False
  			else:
  				return bool(enabled_value)
  ---

  As a result, when integrating Keystone with an LDAP back-end and using
  the 'enabled_user_emulation' feature with a group for which the
  membership attribute is 'uniquemember', users are listed as not
  enabled.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1515302/+subscriptions

Follow ups

[Bug 1515302] Re: Group membership attribute is hard-coded when using 'user_enable_emulation'
From: Dave Walker, 2016-01-21
[Bug 1515302] Re: Group membership attribute is hard-coded when using 'user_enable_emulation'
From: Dave Walker, 2016-01-21
[Bug 1515302] Re: Group membership attribute is hard-coded when using 'user_enable_emulation'
From: Doug Hellmann, 2015-12-04