yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1658641] [NEW] Moving/disabling LDAP users break Keystone queries depending on role ID

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tim S <1658641@xxxxxxxxxxxxxxxxxx>
Date: Mon, 23 Jan 2017 10:19:57 -0000
Reply-to: Bug 1658641 <1658641@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

- ubuntu 16.04
- keystone 2:9.2.0-ubuntu1 (mitaka)
- python-openstackclient 2.3.0-2
- swift 2.7.0-0ubuntu2 (mitaka)

Hi, I got a Keystone installation with a domain using the LDAP driver to
connect to AD (read-only). It's working great, and even though I don't
administrate the AD the seperation hasn't been a problem until now.
Primary usage is to authenticate users with Swift.

Projects and project members are more or less mapped 1:1 to specific AD
groups, generated during setup. An ongoing process has been to keep this
up to date with new/old employees/groups. The issue arise with the
current company policy, where the user accounts of old employees is not
disabled, but moved to a seperate OU. For instance:

| CN=Doe, John, OU=Users, DC=DOMAIN, DC=COM
| CN=Doe, John, OU=Former employees, DC=DOMAIN, DC=COM

Whenever this happens it seems to break the role assignment for the
user. Commands such as listing users in the user's project, or looking
up the user's details yields the error "Could not find resource <id>".

Does moving users in AD break the identity mapping, and thus their ID
with relations stored in Keystone? Is there any possible configuration
that can be done to avoid this?


--- keystone.DOMAIN.conf ----

[ldap]
url =
user =
password =
suffix =
query_scope = sub
page_size = 500
user_tree_dn =
user_objectclass = person
user_id_attribute = sAMAccountName
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_pass_attribute =
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore =
user_allow_create = false
user_allow_update = false
user_allow_delete = false

[identity]
driver = ldap


--- openstack_user_list.txt ----

# user's id is listed in response to listing users that belong in a project,
# and while keystone is able to find the correct username based on id, it can't find the user itself
$ openstack user list --debug --project PROJECT --long
...

REQ: curl -g -i -X GET https://domain.com:35357/v3/role_assignments?scope.project.id=<id> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<token>"
"GET /v3/role_assignments?scope.project.id=<id> HTTP/1.1" 200 4401
RESP: [200] Content-Length: 4401 Vary: X-Auth-Token Keep-Alive: timeout=5, max=98 Server: Apache/2.4.18 (Ubuntu) Connection: Keep-Alive Date: Fri, 20 Jan 2017 13:54:19 GMT x-openstack-request-id req-<id> Content-Type: application/json X-Distribution: Ubuntu
RESP BODY: {"role_assignments": [{"scope": {"project": {"id": "<id>"}}, "role": {"id": "<id>"}, "user": {"id": "<id>"}, "links": {"assignment": "https://domain.com:35357/v3/projects/<id>/users/<id>/roles/<id>"}}, ...
...

REQ: curl -g -i -X GET https://domain.com:35357/v3/users/<id> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<token>"
"GET /v3/users/<id> HTTP/1.1" 404 89
RESP: [404] Content-Length: 89 Vary: X-Auth-Token Keep-Alive: timeout=5, max=89 Server: Apache/2.4.18 (Ubuntu) Connection: Keep-Alive Date: Fri, 20 Jan 2017 13:54:19 GMT x-openstack-request-id: req-<id> Content-Type: application/json X-Distribution: Ubuntu
RESP BODY: {"error": {"message": "Could not find user: <username>", "code": 404, "title": "Not Found"}}
...

Could not find resource <id>

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: ldap

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1658641

Title:
  Moving/disabling LDAP users break Keystone queries depending on role
  ID

Status in OpenStack Identity (keystone):
  New

Bug description:
  - ubuntu 16.04
  - keystone 2:9.2.0-ubuntu1 (mitaka)
  - python-openstackclient 2.3.0-2
  - swift 2.7.0-0ubuntu2 (mitaka)

  Hi, I got a Keystone installation with a domain using the LDAP driver
  to connect to AD (read-only). It's working great, and even though I
  don't administrate the AD the seperation hasn't been a problem until
  now. Primary usage is to authenticate users with Swift.

  Projects and project members are more or less mapped 1:1 to specific
  AD groups, generated during setup. An ongoing process has been to keep
  this up to date with new/old employees/groups. The issue arise with
  the current company policy, where the user accounts of old employees
  is not disabled, but moved to a seperate OU. For instance:

  | CN=Doe, John, OU=Users, DC=DOMAIN, DC=COM
  | CN=Doe, John, OU=Former employees, DC=DOMAIN, DC=COM

  Whenever this happens it seems to break the role assignment for the
  user. Commands such as listing users in the user's project, or looking
  up the user's details yields the error "Could not find resource <id>".

  Does moving users in AD break the identity mapping, and thus their ID
  with relations stored in Keystone? Is there any possible configuration
  that can be done to avoid this?


  --- keystone.DOMAIN.conf ----

  [ldap]
  url =
  user =
  password =
  suffix =
  query_scope = sub
  page_size = 500
  user_tree_dn =
  user_objectclass = person
  user_id_attribute = sAMAccountName
  user_name_attribute = sAMAccountName
  user_mail_attribute = mail
  user_pass_attribute =
  user_enabled_attribute = userAccountControl
  user_enabled_mask = 2
  user_enabled_default = 512
  user_attribute_ignore =
  user_allow_create = false
  user_allow_update = false
  user_allow_delete = false

  [identity]
  driver = ldap


  --- openstack_user_list.txt ----

  # user's id is listed in response to listing users that belong in a project,
  # and while keystone is able to find the correct username based on id, it can't find the user itself
  $ openstack user list --debug --project PROJECT --long
  ...

  REQ: curl -g -i -X GET https://domain.com:35357/v3/role_assignments?scope.project.id=<id> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<token>"
  "GET /v3/role_assignments?scope.project.id=<id> HTTP/1.1" 200 4401
  RESP: [200] Content-Length: 4401 Vary: X-Auth-Token Keep-Alive: timeout=5, max=98 Server: Apache/2.4.18 (Ubuntu) Connection: Keep-Alive Date: Fri, 20 Jan 2017 13:54:19 GMT x-openstack-request-id req-<id> Content-Type: application/json X-Distribution: Ubuntu
  RESP BODY: {"role_assignments": [{"scope": {"project": {"id": "<id>"}}, "role": {"id": "<id>"}, "user": {"id": "<id>"}, "links": {"assignment": "https://domain.com:35357/v3/projects/<id>/users/<id>/roles/<id>"}}, ...
  ...

  REQ: curl -g -i -X GET https://domain.com:35357/v3/users/<id> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<token>"
  "GET /v3/users/<id> HTTP/1.1" 404 89
  RESP: [404] Content-Length: 89 Vary: X-Auth-Token Keep-Alive: timeout=5, max=89 Server: Apache/2.4.18 (Ubuntu) Connection: Keep-Alive Date: Fri, 20 Jan 2017 13:54:19 GMT x-openstack-request-id: req-<id> Content-Type: application/json X-Distribution: Ubuntu
  RESP BODY: {"error": {"message": "Could not find user: <username>", "code": 404, "title": "Not Found"}}
  ...

  Could not find resource <id>

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1658641/+subscriptions