Hi everybody, I am observing the following issue:
LDAP backend is enabled for identity and assignment, domain specific configs disabled. LDAP section configured - users, groups, projects and roles are mapped. I am able to use identity v3 api to list users, groups, to verify that a user is in a group, and also to view role assignments - everythings looks correct so far. I am able to create a role for user in LDAP and if I put a user directly into a role, everything works. But when I put a group (which contains that user) into a role - the user get's 401. I have found a spot in the code which causes the issue: https://github.com/openstack/keystone/blob/stable/liberty/keystone/assignment/backends/ldap.py#L67 This check returns False, here is why: =============================================== group_dns = ['cn=GroupX,ou=Groups,ou=YYY,dc=...'] role_assignment.user_dn = 'cn=UserX,ou=Users,ou=YYY,dc=...' =============================================== Therefore the check: ==================================== if role_assignment.user_dn.upper() in group_dns ==================================== Will return false. I do not understand how this should work - why should user_dn match group_dn? -- Yours sincerely, Dmitry Sutyagin OpenStack Escalations Engineer Mirantis, Inc.
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
