settingsLogin | Registersettings

[openstack-dev] [keystone] LDAP user_id_attribute does not affect groups

0 votes

Hello OpenStack-dev,

I am running Keystone in a virtual environment with LDAP backend.
When useridattribute is set to sn (and the LDAP directory is
configured accordingly),
openstack user list --domain default --group test-group results in
Group memberuseridfor groupf44a7fbb9e174ba5823474c759d43643not found in the directory. The user should be removed from the group. The user will be ignored.
for a groupOfNames that has userid as a member.

However, openstack user list works OK and lists all user names and ids.

Outputs: http://paste.openstack.org/show/609820/

It seems that the problem is here:
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1280

cn is used as the id attribute regardless of configuration in
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L126.

keystone.conf: http://paste.openstack.org/show/609845/
LDAP directory: http://paste.openstack.org/show/609846/

Any ideas? This smells of a bug.

Boris Kudryavtsev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked May 17, 2017 in openstack-dev by Boris_Kudryavtsev (120 points)  
...