We do not believe it is a good idea in this production cloud to change the user_id_attribute to = uid, as the user mapping table has already stored the uidNumbers as the user_id_attribute, and this would lead to database inconsistency unless we wiped the user table from the database.
user_id_attribute is supposed to be like the passwd database UID field, and user_name_attribute is supposed to be your login like "dfreiberger". Please see documentation regarding posixAccount affinity for these variables on this page for configuration guide: https://docs.openstack.org/keystone/pike/admin/identity-integrate-with-ldap.html The intention of the keystone ldap integration documentation clearly states that it expects a full DN in the group_member_attribute if group_members_are_ids = false. This means that the code must dereference the dn uid=drew,ou=users,dc=mysite,dc=com and return the user_id_attribute field if the function needs to reference the user_id field. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832766 Title: LDAP group_members_are_ids = false fails in Rocky/Stein To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1832766/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
