yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1929066] Re: String length exceeded local_id mapping to LDAP

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1929066@xxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Aug 2021 12:19:41 -0000
Reply-to: Bug 1929066 <1929066@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/keystone/+/792587
Committed: https://opendev.org/openstack/keystone/commit/ce6031ca12156620cec214a49d162ec7bb30752f
Submitter: "Zuul (22348)"
Branch:    master

commit ce6031ca12156620cec214a49d162ec7bb30752f
Author: Grzegorz Grasza <xek@xxxxxxxxxx>
Date:   Thu May 20 21:07:02 2021 +0200

    Update local_id limit to 255 characters
    
    This avoids the "String length exceeded." error, when using LDAP
    domain specific backend in case the user uses a user id
    attribute, which can exceed the previous constraint of 64 chars.
    
    Change-Id: I923a2a2a5e79c8f265ff436e96258288dddb867b
    Closes-Bug: #1929066
    Resolves: rhbz#1959345


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1929066

Title:
  String length exceeded local_id mapping to LDAP

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  LDAP Group ID may exceed the current table limit:

  String length exceeded. The length of string '***' exceeds the limit
  of column local_id(CHAR(64)). (HTTP 400) (Request-ID: req-
  bf68d05f-dc7b-4f4b-bbb0-d2a11728de86)

  From an upstream bug[1] we had the following solution:

  The workaround for this issue is to not use objectGUID as the user or
  group ID. However, that workaround might not be applicable in all
  situations. For example, the default value for user_id_attribute is
  'cn', but if that value spans more than 64 characters, keystone can't
  work with it.

  But for security reasons, customer can't change the field mapped.

  I believe the limit can be safely changed to 255 without impacting
  other openstack projects, keystone backends or subsystems.

  [1] https://bugs.launchpad.net/keystone/+bug/1889936/comments/1

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1929066/+subscriptions

References

[Bug 1929066] [NEW] String length exceeded local_id mapping to LDAP
From: Grzegorz Grasza, 2021-05-20