yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1671196] [NEW] user list for LDAP group does not contain all members

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matthew Wagner <1671196@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Mar 2017 18:37:55 -0000
Reply-to: Bug 1671196 <1671196@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When running `openstack user list --domain mydomain --group mygroup` All
users in the LDAP group are not returned.  Examples below - but it seems
that when the distinguishedName does not match the userid/SAMAccount
property - the entry is not displayed.

Example of a user ID that is NOT displayed, but authentication works fine:
LDAP group "groupname":
```
distinguishedName
-----------------
CN=LASTNAME\, FIRSTNAME,OU=Users,OU=HQ,DC=subdomain,DC=domain,DC=com
```
OpenStack user query:
~# openstack user list --domain domain --group groupname
```
result: returns no user ID/Name

Example of a user ID that is CORRECTLY displayed, and authentication works:
LDAP group "groupname":
```
distinguishedName
-----------------
CN=userid,OU=Users,OU=HQ,DC=subdomain,DC=domain,DC=com
```
OpenStack user query:
~# openstack user list --domain domain --group groupname
```
result: returns ID and Name correctly
```
+------------------------------------------------------------------+------------+
| ID                                                               | Name       |
+------------------------------------------------------------------+------------+
| 76665c0ff7d4b75a173780ce744f3b86ca97358f23e8d928c4eb25b84c99926a | userid     |
```

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1671196

Title:
  user list for LDAP group does not contain all members

Status in OpenStack Identity (keystone):
  New

Bug description:
  When running `openstack user list --domain mydomain --group mygroup`
  All users in the LDAP group are not returned.  Examples below - but it
  seems that when the distinguishedName does not match the
  userid/SAMAccount property - the entry is not displayed.

  Example of a user ID that is NOT displayed, but authentication works fine:
  LDAP group "groupname":
  ```
  distinguishedName
  -----------------
  CN=LASTNAME\, FIRSTNAME,OU=Users,OU=HQ,DC=subdomain,DC=domain,DC=com
  ```
  OpenStack user query:
  ~# openstack user list --domain domain --group groupname
  ```
  result: returns no user ID/Name

  Example of a user ID that is CORRECTLY displayed, and authentication works:
  LDAP group "groupname":
  ```
  distinguishedName
  -----------------
  CN=userid,OU=Users,OU=HQ,DC=subdomain,DC=domain,DC=com
  ```
  OpenStack user query:
  ~# openstack user list --domain domain --group groupname
  ```
  result: returns ID and Name correctly
  ```
  +------------------------------------------------------------------+------------+
  | ID                                                               | Name       |
  +------------------------------------------------------------------+------------+
  | 76665c0ff7d4b75a173780ce744f3b86ca97358f23e8d928c4eb25b84c99926a | userid     |
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1671196/+subscriptions

Follow ups

[Bug 1671196] Re: user list for LDAP group does not contain all members
From: Launchpad Bug Tracker, 2018-05-30