yahoo-eng-team team mailing list archive

[Nusrath Mohammed <1722293@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Keystone not removing mapping between deleted LDAP user and Openstack

The client is using LDAP for authentication and has used uid as a key
for user_id_attribute. The client created a LDAP user say ABC with
UID=100, this user is associated with an OpenStack user ABC. The
relationship is recorded in id_mapping table within keystone database.

Now when the client delete the ldap user ABC, the entry is not deleted
from the id_mapping table. Thus when the client create a new ldap user
XYZ which get the same UID=100, the incorrect record in id_mapping
restrict the new user XYZ from authenticating and successfully log on to
OpenStack.

Note: there is not record for XYZ within the id_mapping table.

Details of domain config:

# User supplied configuration flags
user_filter = (memberof=cn=xxx,ou=Group,dc=xxx,dc=xxx)
user_id_attribute = uidNumber
user_name_attribute = uid
user_objectclass = posixAccount
user_tree_dn = ou=xxxxx,dc=xxx,dc=xx
[identity]
driver = ldap

Table Description

mysql> desc id_mapping;
+-------------+----------------------+------+-----+---------+-------+
| Field       | Type                 | Null | Key | Default | Extra |
+-------------+----------------------+------+-----+---------+-------+
| public_id   | varchar(64)          | NO   | PRI | NULL    |       |
| domain_id   | varchar(64)          | NO   | MUL | NULL    |       |
| local_id    | varchar(64)          | NO   |     | NULL    |       |
| entity_type | enum('user','group') | NO   |     | NULL    |       |
+-------------+----------------------+------+-----+---------+-------+

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: canonical-bootstack

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1722293

Title:
  Keystone not removing mapping between deleted LDAP user and Openstack

Status in OpenStack Identity (keystone):
  New

Bug description:
  Keystone not removing mapping between deleted LDAP user and Openstack

  The client is using LDAP for authentication and has used uid as a key
  for user_id_attribute. The client created a LDAP user say ABC with
  UID=100, this user is associated with an OpenStack user ABC. The
  relationship is recorded in id_mapping table within keystone database.

  Now when the client delete the ldap user ABC, the entry is not deleted
  from the id_mapping table. Thus when the client create a new ldap user
  XYZ which get the same UID=100, the incorrect record in id_mapping
  restrict the new user XYZ from authenticating and successfully log on
  to OpenStack.

  Note: there is not record for XYZ within the id_mapping table.

  Details of domain config:

  # User supplied configuration flags
  user_filter = (memberof=cn=xxx,ou=Group,dc=xxx,dc=xxx)
  user_id_attribute = uidNumber
  user_name_attribute = uid
  user_objectclass = posixAccount
  user_tree_dn = ou=xxxxx,dc=xxx,dc=xx
  [identity]
  driver = ldap

  Table Description

  mysql> desc id_mapping;
  +-------------+----------------------+------+-----+---------+-------+
  | Field       | Type                 | Null | Key | Default | Extra |
  +-------------+----------------------+------+-----+---------+-------+
  | public_id   | varchar(64)          | NO   | PRI | NULL    |       |
  | domain_id   | varchar(64)          | NO   | MUL | NULL    |       |
  | local_id    | varchar(64)          | NO   |     | NULL    |       |
  | entity_type | enum('user','group') | NO   |     | NULL    |       |
  +-------------+----------------------+------+-----+---------+-------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1722293/+subscriptions