yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #45050
[Bug 1515302] Re: Group membership attribute is hard-coded when using 'user_enable_emulation'
** Also affects: keystone/kilo
Importance: Undecided
Status: New
** Changed in: keystone/kilo
Status: New => Fix Committed
** Changed in: keystone/kilo
Milestone: None => 2015.1.3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1515302
Title:
Group membership attribute is hard-coded when using
'user_enable_emulation'
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) kilo series:
Fix Committed
Bug description:
The 'group_member_attribute' is used in Keystone when looking for
groups in LDAP to find membership. But, when using
'user_enable_emulation', the following code in
keystone/common/ldap/core.py instead references a hard coded 'member'
entry instead of 'group_member_attribute'.
---
def _get_enabled(self, object_id):
dn = self._id_to_dn(object_id)
query = '(member=%s)' % dn <---- Here
with self.get_connection() as conn:
try:
enabled_value = conn.search_s(self.enabled_emulation_dn,
ldap.SCOPE_BASE,
query, ['cn'])
except ldap.NO_SUCH_OBJECT:
return False
else:
return bool(enabled_value)
---
As a result, when integrating Keystone with an LDAP back-end and using
the 'enabled_user_emulation' feature with a group for which the
membership attribute is 'uniquemember', users are listed as not
enabled.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1515302/+subscriptions
References