yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1722293] Re: Keystone not removing mapping between deleted LDAP user and Openstack

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: David Ames <david.ames@xxxxxxxxxxxxx>
Date: Wed, 11 Oct 2017 22:36:02 -0000
Reply-to: Bug 1722293 <1722293@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Xav,

In other deploys we have seen either of the following used:

user_id_attribute=cn
or
user_id_attribute=sAMAccountName

Docs use cn:
https://docs.openstack.org/keystone/latest/admin/identity-integrate-with-ldap.html

I don't think this is a charm bug. It is either configuration or
upstream keystone. Please feel free to re-open the charm portion of the
bug if I am mistaken.

** Changed in: charm-keystone-ldap
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1722293

Title:
  Keystone not removing mapping between deleted LDAP user and Openstack

Status in OpenStack Keystone LDAP integration:
  Invalid
Status in OpenStack Identity (keystone):
  New

Bug description:
  Keystone not removing mapping between deleted LDAP user and Openstack

  The client is using LDAP for authentication and has used uid as a key
  for user_id_attribute. The client created a LDAP user say ABC with
  UID=100, this user is associated with an OpenStack user ABC. The
  relationship is recorded in id_mapping table within keystone database.

  Now when the client delete the ldap user ABC, the entry is not deleted
  from the id_mapping table. Thus when the client create a new ldap user
  XYZ which get the same UID=100, the incorrect record in id_mapping
  restrict the new user XYZ from authenticating and successfully log on
  to OpenStack.

  Note: there is not record for XYZ within the id_mapping table.

  Details of domain config:

  # User supplied configuration flags
  user_filter = (memberof=cn=xxx,ou=Group,dc=xxx,dc=xxx)
  user_id_attribute = uidNumber
  user_name_attribute = uid
  user_objectclass = posixAccount
  user_tree_dn = ou=xxxxx,dc=xxx,dc=xx
  [identity]
  driver = ldap

  Table Description

  mysql> desc id_mapping;
  +-------------+----------------------+------+-----+---------+-------+
  | Field       | Type                 | Null | Key | Default | Extra |
  +-------------+----------------------+------+-----+---------+-------+
  | public_id   | varchar(64)          | NO   | PRI | NULL    |       |
  | domain_id   | varchar(64)          | NO   | MUL | NULL    |       |
  | local_id    | varchar(64)          | NO   |     | NULL    |       |
  | entity_type | enum('user','group') | NO   |     | NULL    |       |
  +-------------+----------------------+------+-----+---------+-------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-keystone-ldap/+bug/1722293/+subscriptions

References

[Bug 1722293] [NEW] Keystone not removing mapping between deleted LDAP user and Openstack
From: Nusrath Mohammed, 2017-10-09