yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1722293] Re: Keystone not removing mapping between deleted LDAP user and Openstack

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Fri, 13 Oct 2017 21:34:56 -0000
Reply-to: Bug 1722293 <1722293@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

LDAP is a read-only backend for keystone. We do provide a way to purge
users from the id_mapping backend [0][1][2]. Keystone does not receive
push notifications from LDAP when users or group changes are made there.

Not that this must be done using the `keystone-manage` command. If you
need more information on how this works, please swing by #openstack-
keystone.

[0] https://github.com/openstack/keystone/blob/47dbd256258d747d95cb5320bd02ae207ecf60d6/keystone/cmd/cli.py#L824
[1] https://github.com/openstack/keystone/blob/47dbd256258d747d95cb5320bd02ae207ecf60d6/keystone/identity/core.py#L1470
[2] https://docs.openstack.org/keystone/latest/cli/index.html#keystone-manage

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1722293

Title:
  Keystone not removing mapping between deleted LDAP user and Openstack

Status in OpenStack Keystone LDAP integration:
  Invalid
Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Keystone not removing mapping between deleted LDAP user and Openstack

  The client is using LDAP for authentication and has used uid as a key
  for user_id_attribute. The client created a LDAP user say ABC with
  UID=100, this user is associated with an OpenStack user ABC. The
  relationship is recorded in id_mapping table within keystone database.

  Now when the client delete the ldap user ABC, the entry is not deleted
  from the id_mapping table. Thus when the client create a new ldap user
  XYZ which get the same UID=100, the incorrect record in id_mapping
  restrict the new user XYZ from authenticating and successfully log on
  to OpenStack.

  Note: there is not record for XYZ within the id_mapping table.

  Details of domain config:

  # User supplied configuration flags
  user_filter = (memberof=cn=xxx,ou=Group,dc=xxx,dc=xxx)
  user_id_attribute = uidNumber
  user_name_attribute = uid
  user_objectclass = posixAccount
  user_tree_dn = ou=xxxxx,dc=xxx,dc=xx
  [identity]
  driver = ldap

  Table Description

  mysql> desc id_mapping;
  +-------------+----------------------+------+-----+---------+-------+
  | Field       | Type                 | Null | Key | Default | Extra |
  +-------------+----------------------+------+-----+---------+-------+
  | public_id   | varchar(64)          | NO   | PRI | NULL    |       |
  | domain_id   | varchar(64)          | NO   | MUL | NULL    |       |
  | local_id    | varchar(64)          | NO   |     | NULL    |       |
  | entity_type | enum('user','group') | NO   |     | NULL    |       |
  +-------------+----------------------+------+-----+---------+-------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-keystone-ldap/+bug/1722293/+subscriptions

References

[Bug 1722293] [NEW] Keystone not removing mapping between deleted LDAP user and Openstack
From: Nusrath Mohammed, 2017-10-09