yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #83473
[Bug 1889936] [NEW] Using Microsoft AD's objectGUID attribute as user_id_attribute breaks
Public bug reported:
Microsoft AD has a default attribute in its schema for users and groups
called objectGUID [0]. The attribute is assigned when new users and
groups are created.
If we attempt to use this attribute as a user's ID by setting
user_id_attribute=objectGUID, keystone throws an HTTP 404 listing users.
The following configuration is from a reproducer environment integrating
MS AD with keystone:
I was able to recreate this with using a 2016 AD server with the
following keystone LDAP configuration file:
[root@overcloud-controller-0 /]# cat /etc/keystone/domains/keystone.windows.conf
[ldap]
url=ldap://192.168.1.209
user=CN=Administrator,CN=Users,DC=mycompany,DC=local
password=p@ssw0rd1
suffix=DC=mycompany,DC=local
user_tree_dn=DC=mycompany,DC=local
user_objectclass=user
user_id_attribute=objectGUID
query_scope=sub
user_name_attribute=sAMAccountName
[identity]
driver=ldap
[stack@undercloud ~]$ openstack --os-cloud overcloud user list --domain windows
ID attribute objectGUID not found in LDAP object CN=Administrator,CN=Users,DC=mycompany,DC=local (HTTP 404) (Request-ID: req-cdc056fd-2ebc-4a24-81d9-8a0948fc56bf)
The root of the issue is that keystone isn't properly decoding the
value, which you can see from the logs as the ldap backend processes
results from AD.
/var/log/containers/keystone/keystone.log:2020-07-31 18:58:36.319 19
WARNING keystone.common.wsgi [req-ae63fcc8-64a1-48f5-96c9-c107df9c4be0
c4c7be68b7304ba884a0d15f3f882df4 b970c795de7749af821f1d53b51fa0d5 -
default default] ID attribute objectGUID not found in LDAP object
CN=Administrator,CN=Users,DC=mycompany,DC=local: NotFound: ID attribute
objectGUID not found in LDAP object
CN=Administrator,CN=Users,DC=mycompany,DC=local
Relevant code:
https://opendev.org/openstack/keystone/src/commit/bcc751b3a24a93b5d8aab1bfb7eb8027d8499e36/keystone/identity/backends/ldap/common.py#L1328-L1330
https://opendev.org/openstack/keystone/src/commit/bcc751b3a24a93b5d8aab1bfb7eb8027d8499e36/keystone/identity/backends/ldap/common.py#L950
https://opendev.org/openstack/keystone/src/commit/bcc751b3a24a93b5d8aab1bfb7eb8027d8499e36/keystone/identity/backends/ldap/common.py#L144-L183
https://opendev.org/openstack/keystone/src/commit/bcc751b3a24a93b5d8aab1bfb7eb8027d8499e36/keystone/identity/backends/ldap/common.py#L174
https://opendev.org/openstack/keystone/src/commit/bcc751b3a24a93b5d8aab1bfb7eb8027d8499e36/keystone/identity/backends/ldap/common.py#L141
https://opendev.org/openstack/keystone/src/commit/bcc751b3a24a93b5d8aab1bfb7eb8027d8499e36/keystone/identity/backends/ldap/common.py#L81-L97
We might need to consider handling this value similar what the python-
ldap community suggests:
https://mail.python.org/pipermail/python-ldap/2014q3/003410.html
[0] https://docs.microsoft.com/en-us/windows/win32/adschema/a-objectguid
** Affects: keystone
Importance: Undecided
Status: New
** Tags: ldap
** Tags added: ldap
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1889936
Title:
Using Microsoft AD's objectGUID attribute as user_id_attribute breaks
Status in OpenStack Identity (keystone):
New
Bug description:
Microsoft AD has a default attribute in its schema for users and
groups called objectGUID [0]. The attribute is assigned when new users
and groups are created.
If we attempt to use this attribute as a user's ID by setting
user_id_attribute=objectGUID, keystone throws an HTTP 404 listing
users.
The following configuration is from a reproducer environment
integrating MS AD with keystone:
I was able to recreate this with using a 2016 AD server with the
following keystone LDAP configuration file:
[root@overcloud-controller-0 /]# cat /etc/keystone/domains/keystone.windows.conf
[ldap]
url=ldap://192.168.1.209
user=CN=Administrator,CN=Users,DC=mycompany,DC=local
password=p@ssw0rd1
suffix=DC=mycompany,DC=local
user_tree_dn=DC=mycompany,DC=local
user_objectclass=user
user_id_attribute=objectGUID
query_scope=sub
user_name_attribute=sAMAccountName
[identity]
driver=ldap
[stack@undercloud ~]$ openstack --os-cloud overcloud user list --domain windows
ID attribute objectGUID not found in LDAP object CN=Administrator,CN=Users,DC=mycompany,DC=local (HTTP 404) (Request-ID: req-cdc056fd-2ebc-4a24-81d9-8a0948fc56bf)
The root of the issue is that keystone isn't properly decoding the
value, which you can see from the logs as the ldap backend processes
results from AD.
/var/log/containers/keystone/keystone.log:2020-07-31 18:58:36.319 19
WARNING keystone.common.wsgi [req-ae63fcc8-64a1-48f5-96c9-c107df9c4be0
c4c7be68b7304ba884a0d15f3f882df4 b970c795de7749af821f1d53b51fa0d5 -
default default] ID attribute objectGUID not found in LDAP object
CN=Administrator,CN=Users,DC=mycompany,DC=local: NotFound: ID
attribute objectGUID not found in LDAP object
CN=Administrator,CN=Users,DC=mycompany,DC=local
Relevant code:
https://opendev.org/openstack/keystone/src/commit/bcc751b3a24a93b5d8aab1bfb7eb8027d8499e36/keystone/identity/backends/ldap/common.py#L1328-L1330
https://opendev.org/openstack/keystone/src/commit/bcc751b3a24a93b5d8aab1bfb7eb8027d8499e36/keystone/identity/backends/ldap/common.py#L950
https://opendev.org/openstack/keystone/src/commit/bcc751b3a24a93b5d8aab1bfb7eb8027d8499e36/keystone/identity/backends/ldap/common.py#L144-L183
https://opendev.org/openstack/keystone/src/commit/bcc751b3a24a93b5d8aab1bfb7eb8027d8499e36/keystone/identity/backends/ldap/common.py#L174
https://opendev.org/openstack/keystone/src/commit/bcc751b3a24a93b5d8aab1bfb7eb8027d8499e36/keystone/identity/backends/ldap/common.py#L141
https://opendev.org/openstack/keystone/src/commit/bcc751b3a24a93b5d8aab1bfb7eb8027d8499e36/keystone/identity/backends/ldap/common.py#L81-L97
We might need to consider handling this value similar what the python-
ldap community suggests:
https://mail.python.org/pipermail/python-ldap/2014q3/003410.html
[0] https://docs.microsoft.com/en-us/windows/win32/adschema/a-objectguid
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1889936/+subscriptions
Follow ups
