yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1839133] Re: LDAP: group_members_are_ids ignored for user_enabled_emulation_use_group_config

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1839133@xxxxxxxxxxxxxxxxxx>
Date: Fri, 20 Sep 2019 01:50:52 -0000
Reply-to: Bug 1839133 <1839133@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/674782
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c7fae97d873f72068ca65538ec5b5919c0ac7d5a
Submitter: Zuul
Branch:    master

commit c7fae97d873f72068ca65538ec5b5919c0ac7d5a
Author: Radosław Piliszek <radoslaw.piliszek@xxxxxxxxx>
Date:   Tue Aug 6 13:25:17 2019 +0200

    Honor group_members_are_ids for user_enabled_emulation
    
    Applied when group config is to be honored
    (i.e. set user_enabled_emulation_use_group_config).
    Conditionals follow usage of group_members_are_ids.
    
    Added new test for the case with ids.
    It fails without fix.
    The original test expanded to ensure the change did not
    break its internals either.
    It passes without fix as well.
    
    Additionally some TODOs are added for observed potential issues.
    
    Change-Id: I7874a70e6109219baee80309c3a27f8af9905a6d
    Closes-Bug: #1839133
    Signed-off-by: Radosław Piliszek <radoslaw.piliszek@xxxxxxxxx>


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1839133

Title:
  LDAP: group_members_are_ids ignored for
  user_enabled_emulation_use_group_config

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  This is re: http://lists.openstack.org/pipermail/openstack-discuss/2019-August/008210.html
  "[keystone] [stein] user_enabled_emulation config problem"

  I set:
  user_tree_dn = ou=Users,o=UCO
  user_objectclass = inetOrgPerson
  user_id_attribute = uid
  user_name_attribute = uid
  user_enabled_emulation = true
  user_enabled_emulation_dn = cn=Users,ou=Groups,o=UCO
  user_enabled_emulation_use_group_config = true
  group_tree_dn = ou=Groups,o=UCO
  group_objectclass = posixGroup
  group_id_attribute = cn
  group_name_attribute = cn
  group_member_attribute = memberUid
  group_members_are_ids = true

  Keystone properly lists members of the Users group but they all remain
  disabled.

  I ran keystone with debug and discovered that it looks for
  memberUid=<DN> instead of memberUid=<ID>, e.g.
  memberUid=uid=r.piliszek,ou=Users,o=UCO instead of
  memberUid=r.piliszek

  I will submit a proposal with my patch to gerrit but will require some
  assistance with creating a unit test that fails without patch and
  works with it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1839133/+subscriptions

References

[Bug 1839133] [NEW] LDAP: group_members_are_ids ignored for user_enabled_emulation_use_group_config
From: Radosław Piliszek, 2019-08-06