← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #86117

[Bug 1929066] [NEW] String length exceeded local_id mapping to LDAP

  Thread PreviousDate PreviousThread Next 
Public bug reported:

LDAP Group ID may exceed the current table limit:

String length exceeded. The length of string '***' exceeds the limit of
column local_id(CHAR(64)). (HTTP 400) (Request-ID: req-bf68d05f-dc7b-
4f4b-bbb0-d2a11728de86)

>From an upstream bug[1] we had the following solution:

The workaround for this issue is to not use objectGUID as the user or
group ID. However, that workaround might not be applicable in all
situations. For example, the default value for user_id_attribute is
'cn', but if that value spans more than 64 characters, keystone can't
work with it.

But for security reasons, customer can't change the field mapped.

I believe the limit can be safely changed to 255 without impacting other
openstack projects, keystone backends or subsystems.

[1] https://bugs.launchpad.net/keystone/+bug/1889936/comments/1

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1929066

Title:
  String length exceeded local_id mapping to LDAP

Status in OpenStack Identity (keystone):
  New

Bug description:
  LDAP Group ID may exceed the current table limit:

  String length exceeded. The length of string '***' exceeds the limit
  of column local_id(CHAR(64)). (HTTP 400) (Request-ID: req-bf68d05f-
  dc7b-4f4b-bbb0-d2a11728de86)

  From an upstream bug[1] we had the following solution:

  The workaround for this issue is to not use objectGUID as the user or
  group ID. However, that workaround might not be applicable in all
  situations. For example, the default value for user_id_attribute is
  'cn', but if that value spans more than 64 characters, keystone can't
  work with it.

  But for security reasons, customer can't change the field mapped.

  I believe the limit can be safely changed to 255 without impacting
  other openstack projects, keystone backends or subsystems.

  [1] https://bugs.launchpad.net/keystone/+bug/1889936/comments/1

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1929066/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next