Further discussion with Jeff indicated that replacing the { and } with ( and ) resolved the issue.
** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1915318 Title: User list cannot be retrieved when pointing user_tree_dn at top level of the root domain Status in OpenStack Identity (keystone): Invalid Bug description: Windows AD, functional level Windows Server 2012 R2 Focal + Ussuri keystone-ldap-31 Using ldap-config-flags of: ``` ldap-config-flags: "{ user_tree_dn: 'DC=example,DC=org', query_scope: sub, user_objectclass: person, user_id_attribute: cn, user_filter: '{|(memberOf=CN=OpenStackAdmins,OU=OpenStack,OU=Groups,DC=example,DC=org)(memberOf=CN=OpenStackUsers,OU=OpenStack,OU=Groups,DC=example,DC=org)}', user_name_attribute: sAMAccountName, user_mail_attribute: mail, user_pass_attribute: '', user_description_attribute: displayName, user_enabled_attribute: userAccountControl, user_enabled_mask: 2, user_enabled_invert: false, user_enabled_default: 512, group_tree_dn: 'OU=OpenStack,OU=Groups,DC=example,DC=org', group_objectclass: group, group_id_attribute: cn, group_name_attribute: sAMAccountName, group_member_attribute: member, }" ``` The user list cannot be retrieved, but the group list can. Horizon shows an error of "Unable to retrieve user list" Running `openstack user list --domain example.org` shows "Internal Server Error (HTTP 500)" In this scenario. There are 2 sets of users that customer wants to have access to this openstack environment. There are no logs in /var/log/keystone/keystone.log when this error occurs The DN's for those 2 different User trees are: OU=AdminUsers,DC=example,DC=com and OU=Users,DC=example,DC=com As can be seen, both OU's are off of the root domain, and don't share a common tree, other than the root. When the user_dn_tree is changed to `OU=AdminUsers,DC=example,DC=com` then users in that User tree can log in, and show up in the user list, but the users from OU=Users,DC=example,DC=com do not. and Vice-Versa To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1915318/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp