yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1915318] Re: User list cannot be retrieved when pointing user_tree_dn at top level of the root domain

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Billy Olsen <1915318@xxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Feb 2021 18:32:47 -0000
Reply-to: Bug 1915318 <1915318@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Further discussion with Jeff indicated that replacing the { and } with (
and ) resolved the issue.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1915318

Title:
  User list cannot be retrieved when pointing user_tree_dn at top level
  of the root domain

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Windows AD, functional level Windows Server 2012 R2

  Focal + Ussuri

  keystone-ldap-31

  Using ldap-config-flags of:

  ```
  ldap-config-flags: "{
            user_tree_dn: 'DC=example,DC=org',
            query_scope: sub,
            user_objectclass: person,
            user_id_attribute: cn,
            user_filter: '{|(memberOf=CN=OpenStackAdmins,OU=OpenStack,OU=Groups,DC=example,DC=org)(memberOf=CN=OpenStackUsers,OU=OpenStack,OU=Groups,DC=example,DC=org)}',
            user_name_attribute: sAMAccountName,
            user_mail_attribute: mail,
            user_pass_attribute: '',
            user_description_attribute: displayName,
            user_enabled_attribute: userAccountControl,
            user_enabled_mask: 2,
            user_enabled_invert: false,
            user_enabled_default: 512,
            group_tree_dn: 'OU=OpenStack,OU=Groups,DC=example,DC=org',
            group_objectclass: group,
            group_id_attribute: cn,
            group_name_attribute: sAMAccountName,
            group_member_attribute: member,
            }"
  ```

  The user list cannot be retrieved, but the group list can.  Horizon
  shows an error of "Unable to retrieve user list"

  Running `openstack user list --domain example.org` shows "Internal
  Server Error (HTTP 500)"

  In this scenario.  There are 2 sets of users that customer wants to
  have access to this openstack environment.

  There are no logs in /var/log/keystone/keystone.log when this error
  occurs

  The DN's for those 2 different User trees are:

  OU=AdminUsers,DC=example,DC=com   and OU=Users,DC=example,DC=com

  As can be seen, both OU's are off of the root domain, and don't share
  a common tree, other than the root.

  When the user_dn_tree is changed to `OU=AdminUsers,DC=example,DC=com`
  then users in that User tree can log in, and show up in the user list,
  but the users from OU=Users,DC=example,DC=com do not.  and Vice-Versa

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1915318/+subscriptions

References

[Bug 1915318] [NEW] User list cannot be retrieved when pointing user_tree_dn at top level of the root domain
From: Jeff Hillman, 2021-02-10