← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #47264

[Bug 1546136] Re: openstack user group lookup returns nothing

  Thread PreviousDate PreviousThread Next 
*** This bug is a duplicate of bug 1526462 ***
    https://bugs.launchpad.net/bugs/1526462

** This bug has been marked a duplicate of bug 1526462
   Need support for OpenDirectory in LDAP driver

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1546136

Title:
  openstack user group lookup returns nothing

Status in OpenStack Identity (keystone):
  New

Bug description:
  When issuing "openstack group list --user <openldapuserID> --user-
  domain <domain>" command on a domain associated with OpenLDAP, an
  incorrect LDAP query is composed and openstack-keystone report just
  nothing.

  OpenLDAP is running on a CentOS 7 host.
  Openstack keystone release is Liberty running on a CentOS 7 host.
  OpenLDAP version: OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12)
  openstack v: 1.7.2

  Keystone log when issuing the command:

  LDAP search: base=ou=Group,dc=gvadc,dc=localdomain scope=2
  filterstr=(&(memberUid=cn=<first_name
  last_name>,ou=People,dc=<domain>,dc=localdomain)(objectClass=posixGroup)(cn=*))
  attrs=['cn', 'description'] attrsonly=0 search_s /usr/lib/python2.7
  /site-packages/keystone/common/ldap/core.py:934

  When translating the query to ldapsearch returns no results because of the filterstr memberUID=cn=first_name last_name instead of the userid.
  ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -W -x -b ou=Group,dc=<domain>,dc=localdomain "(&(memberUid=cn=<first_name last_name>l,ou=People,dc=<domain>,dc=localdomain)(objectClass=posixGroup)(cn=*))"

  With the correct filter, the search is successfull
  ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -W -x -b ou=Group,dc=<domain>,dc=localdomain "(&(memberUid=<openldapuserID)(objectClass=posixGroup)(cn=*))"

  So it seems that the filterstr is not correctly composed by the
  openstack-python scripts.

  Keystone is configured with domain specific driver enabled. The
  OpenLDAP domain authenticate only user. Services accounts are still
  managed by native SQL.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1546136/+subscriptions

References

  Thread PreviousDate PreviousThread Next