yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1915318] [NEW] User list cannot be retrieved when pointing user_tree_dn at top level of the root domain

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeff Hillman <1915318@xxxxxxxxxxxxxxxxxx>
Date: Wed, 10 Feb 2021 19:58:42 -0000
Reply-to: Bug 1915318 <1915318@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Windows AD, functional level Windows Server 2012 R2

Focal + Ussuri

keystone-ldap-31

Using ldap-config-flags of:

```
ldap-config-flags: "{
          user_tree_dn: 'DC=example,DC=org',
          query_scope: sub,
          user_objectclass: person,
          user_id_attribute: cn,
          user_filter: '{|(memberOf=CN=OpenStackAdmins,OU=OpenStack,OU=Groups,DC=example,DC=org)(memberOf=CN=OpenStackUsers,OU=OpenStack,OU=Groups,DC=example,DC=org)}',
          user_name_attribute: sAMAccountName,
          user_mail_attribute: mail,
          user_pass_attribute: '',
          user_description_attribute: displayName,
          user_enabled_attribute: userAccountControl,
          user_enabled_mask: 2,
          user_enabled_invert: false,
          user_enabled_default: 512,
          group_tree_dn: 'OU=OpenStack,OU=Groups,DC=example,DC=org',
          group_objectclass: group,
          group_id_attribute: cn,
          group_name_attribute: sAMAccountName,
          group_member_attribute: member,
          }"
```

The user list cannot be retrieved, but the group list can.  Horizon
shows an error of "Unable to retrieve user list"

Running `openstack user list --domain example.org` shows "Internal
Server Error (HTTP 500)"

In this scenario.  There are 2 sets of users that customer wants to have
access to this openstack environment.

There are no logs in /var/log/keystone/keystone.log when this error
occurs

The DN's for those 2 different User trees are:

OU=AdminUsers,DC=example,DC=com   and OU=Users,DC=example,DC=com

As can be seen, both OU's are off of the root domain, and don't share a
common tree, other than the root.

When the user_dn_tree is changed to `OU=AdminUsers,DC=example,DC=com`
then users in that User tree can log in, and show up in the user list,
but the users from OU=Users,DC=example,DC=com do not.  and Vice-Versa

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: cpe-onsite

** Summary changed:

- User list cannot be retried when pointing user_tree_dn at top level of the root domain
+ User list cannot be retrieved when pointing user_tree_dn at top level of the root domain

** Project changed: charm-keystone-ldap => keystone

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1915318

Title:
  User list cannot be retrieved when pointing user_tree_dn at top level
  of the root domain

Status in OpenStack Identity (keystone):
  New

Bug description:
  Windows AD, functional level Windows Server 2012 R2

  Focal + Ussuri

  keystone-ldap-31

  Using ldap-config-flags of:

  ```
  ldap-config-flags: "{
            user_tree_dn: 'DC=example,DC=org',
            query_scope: sub,
            user_objectclass: person,
            user_id_attribute: cn,
            user_filter: '{|(memberOf=CN=OpenStackAdmins,OU=OpenStack,OU=Groups,DC=example,DC=org)(memberOf=CN=OpenStackUsers,OU=OpenStack,OU=Groups,DC=example,DC=org)}',
            user_name_attribute: sAMAccountName,
            user_mail_attribute: mail,
            user_pass_attribute: '',
            user_description_attribute: displayName,
            user_enabled_attribute: userAccountControl,
            user_enabled_mask: 2,
            user_enabled_invert: false,
            user_enabled_default: 512,
            group_tree_dn: 'OU=OpenStack,OU=Groups,DC=example,DC=org',
            group_objectclass: group,
            group_id_attribute: cn,
            group_name_attribute: sAMAccountName,
            group_member_attribute: member,
            }"
  ```

  The user list cannot be retrieved, but the group list can.  Horizon
  shows an error of "Unable to retrieve user list"

  Running `openstack user list --domain example.org` shows "Internal
  Server Error (HTTP 500)"

  In this scenario.  There are 2 sets of users that customer wants to
  have access to this openstack environment.

  There are no logs in /var/log/keystone/keystone.log when this error
  occurs

  The DN's for those 2 different User trees are:

  OU=AdminUsers,DC=example,DC=com   and OU=Users,DC=example,DC=com

  As can be seen, both OU's are off of the root domain, and don't share
  a common tree, other than the root.

  When the user_dn_tree is changed to `OU=AdminUsers,DC=example,DC=com`
  then users in that User tree can log in, and show up in the user list,
  but the users from OU=Users,DC=example,DC=com do not.  and Vice-Versa

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1915318/+subscriptions

Follow ups

[Bug 1915318] Re: User list cannot be retrieved when pointing user_tree_dn at top level of the root domain
From: Billy Olsen, 2021-02-12
[Bug 1915318] [NEW] User list cannot be retrieved when pointing user_tree_dn at top level of the root domain
From: Launchpad Bug Tracker, 2021-02-10