yahoo-eng-team team mailing list archive

[Nikolay Vinogradov <1895903@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

In order to configure Keystone LDAP integration the upstream docs
suggests using cn for user_id_attribute [1]. A more stable alternative
attribute to cn as a user ID could be objectGUID, but it doesn't work in
keystone:

$ openstack user list --domain fd8fbe474db94bb6bd8fa2c29da508c9
ID attribute objectGUID not found in LDAP object CN=..... (HTTP 404) (Request-ID: req-d4564a60-2359-44b4-8b44-76f4345c9df9)

ldapsearch returns the attribute correctly using the same query as the
one failing in keystone.

[1] https://docs.openstack.org/keystone/pike/admin/identity-integrate-
with-ldap.html

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1895903

Title:
  Can't use objectGUID as user_id_attribute in Keystone/LDAP integration

Status in OpenStack Identity (keystone):
  New

Bug description:
  In order to configure Keystone LDAP integration the upstream docs
  suggests using cn for user_id_attribute [1]. A more stable alternative
  attribute to cn as a user ID could be objectGUID, but it doesn't work
  in keystone:

  $ openstack user list --domain fd8fbe474db94bb6bd8fa2c29da508c9
  ID attribute objectGUID not found in LDAP object CN=..... (HTTP 404) (Request-ID: req-d4564a60-2359-44b4-8b44-76f4345c9df9)

  ldapsearch returns the attribute correctly using the same query as the
  one failing in keystone.

  [1] https://docs.openstack.org/keystone/pike/admin/identity-integrate-
  with-ldap.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1895903/+subscriptions