Greetings! I think I found a problem in extra attributes handling in LDAP backend. Also I'd like to propose a solution :)
There is a bug https://bugs.launchpad.net/keystone/+bug/1336769 "LDAP additional attribute mappings do not care about model attribute" reported by Marcos Lobo (https://launchpad.net/~marcos-fermin-lobo) It describes a problem when server handles requests without any warning about model data mismatches. First of all I've noticed that all is about optional attributes and it seems to be okay to handle them as I see fit. But in the end Marcos states: "I have a mistake in the keystone.conf file and everything is working properly." This got my attention and I've decided to check field mappings, model validations CRUD and anything available in that direction. I found nothing about model validation. Really, there is no means to be sure you received valid data from LDAP backend. Furthermore keystone.common.ldap.core.BaseLdap._ldap_res_to_model() completely ignores extra fields mapping while translating received from LDAP server data to model structure. Tests correctly cover only create operation, checking model to ldap field mapping: keystone.tests.test_backend_ldap.LDAPIdentity.test_user_extra_attribute_mapping(). But test for retrieval only covers case when "description" mapped to "description": keystone.tests.test_backend_ldap.LDAPIdentity.test_user_extra_attribute_mapping_description_is_returned() Test passes not because extra mapping works but due to the default behaviour of generic mapping: if mapping not found pass the field as is. I added required attribute validation to keystone.common.models.Model, but applying it resulted in many test failures. Further analysis revealed that there are some algorythms depending on behaviour such as saving/retrieving model instanses without some fields declared in a model as required. So I had to fall back to warning instead of raising validation error. Patch awaits review and I'm in doubt: is there a single bug, or it has to be split. https://review.openstack.org/#/c/118590/ Kind Regards, Alexander Makarov, Senior Developer, Mirantis, Inc. 35b/3, Vorontsovskaya St., 109147, Moscow, Russia Tel.: +7 (495) 640-49-04 Tel.: +7 (926) 204-50-60 Skype: MAKAPOB.AJIEKCAHDP _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev