yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1722293] Re: Keystone not removing mapping between deleted LDAP user and Openstack

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Xav Paice <xav.paice@xxxxxxxxxxxxx>
Date: Tue, 10 Oct 2017 09:38:11 -0000
Reply-to: Bug 1722293 <1722293@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Adding the charm because maybe there's a more unique field we can use
than uid, given this behaviour with re-use of uid's

** Project changed: keystone => charm-keystone-ldap

** Also affects: keystone
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1722293

Title:
  Keystone not removing mapping between deleted LDAP user and Openstack

Status in OpenStack Keystone LDAP integration:
  New
Status in OpenStack Identity (keystone):
  New

Bug description:
  Keystone not removing mapping between deleted LDAP user and Openstack

  The client is using LDAP for authentication and has used uid as a key
  for user_id_attribute. The client created a LDAP user say ABC with
  UID=100, this user is associated with an OpenStack user ABC. The
  relationship is recorded in id_mapping table within keystone database.

  Now when the client delete the ldap user ABC, the entry is not deleted
  from the id_mapping table. Thus when the client create a new ldap user
  XYZ which get the same UID=100, the incorrect record in id_mapping
  restrict the new user XYZ from authenticating and successfully log on
  to OpenStack.

  Note: there is not record for XYZ within the id_mapping table.

  Details of domain config:

  # User supplied configuration flags
  user_filter = (memberof=cn=xxx,ou=Group,dc=xxx,dc=xxx)
  user_id_attribute = uidNumber
  user_name_attribute = uid
  user_objectclass = posixAccount
  user_tree_dn = ou=xxxxx,dc=xxx,dc=xx
  [identity]
  driver = ldap

  Table Description

  mysql> desc id_mapping;
  +-------------+----------------------+------+-----+---------+-------+
  | Field       | Type                 | Null | Key | Default | Extra |
  +-------------+----------------------+------+-----+---------+-------+
  | public_id   | varchar(64)          | NO   | PRI | NULL    |       |
  | domain_id   | varchar(64)          | NO   | MUL | NULL    |       |
  | local_id    | varchar(64)          | NO   |     | NULL    |       |
  | entity_type | enum('user','group') | NO   |     | NULL    |       |
  +-------------+----------------------+------+-----+---------+-------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-keystone-ldap/+bug/1722293/+subscriptions

References

[Bug 1722293] [NEW] Keystone not removing mapping between deleted LDAP user and Openstack
From: Nusrath Mohammed, 2017-10-09