yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1515302] Re: Group membership attribute is hard-coded when using 'user_enable_emulation'

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dave Walker <email@xxxxxxxxxx>
Date: Thu, 21 Jan 2016 23:16:47 -0000
Reply-to: Bug 1515302 <1515302@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone/kilo
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1515302

Title:
  Group membership attribute is hard-coded when using
  'user_enable_emulation'

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) kilo series:
  Fix Released

Bug description:
  The 'group_member_attribute' is used in Keystone when looking for
  groups in LDAP to find membership. But, when using
  'user_enable_emulation', the following code in
  keystone/common/ldap/core.py instead references a hard coded 'member'
  entry instead of 'group_member_attribute'.

  ---
  	def _get_enabled(self, object_id):
  		dn = self._id_to_dn(object_id)
  		query = '(member=%s)' % dn         <---- Here
  		with self.get_connection() as conn:
  			try:
  				enabled_value = conn.search_s(self.enabled_emulation_dn,
  											  ldap.SCOPE_BASE,
  											  query, ['cn'])
  			except ldap.NO_SUCH_OBJECT:
  				return False
  			else:
  				return bool(enabled_value)
  ---

  As a result, when integrating Keystone with an LDAP back-end and using
  the 'enabled_user_emulation' feature with a group for which the
  membership attribute is 'uniquemember', users are listed as not
  enabled.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1515302/+subscriptions

References

[Bug 1515302] [NEW] Group membership attribute is hard-coded when using 'user_enable_emulation'
From: Nathan Kinder, 2015-11-11