https://blueprints.launchpad.net/keystone/+spec/revert-multiple-ldap- servers
** Changed in: keystone Status: In Progress => Won't Fix ** Changed in: keystone Milestone: next => None -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1218094 Title: Multi domain code not searching domains for LDAP read only users Status in OpenStack Identity (Keystone): Won't Fix Bug description: We have the need to authenticate users from multiple read-only LDAP servers. I decided to differentiate the LDAP servers by configuring them to different domains and then use the new multi-domain backend keystone feature to authenticate them. The new keystone code successfully locates and configures multiple domains (decorator "domains_configured(f)" in file "keystone/identity/core.py" ), but this information is not applied when locating users (i.e get_user). The problem/bug has to do with the assumption that all users have entries in the common-local keystone SQL database when in fact they may only have entries in any one of the domain specific backends. To get my local test setup working, I added user search code inline to 2 of the methods in file "keystone/identity/core.py". While my code samples are not a final fix, they do exemplify the problem and what it takes to fix it. I also want to mention that the keystone multi domain code reads files from the keystone/domains directory over and over again. Eventually this information should get cached to eliminate the time required to read files from the hard drive. ------------ diff /home/swift/keystone-master_08202013/keystone/identity/core.py /usr/local/lib/python2.7/dist-packages/keystone/identity/core.py 32d31 < 37d35 < 282,283c280,291 < domain_id, driver = self._get_domain_id_and_driver(domain_scope) < ref = driver.get_user(user_id) --- > # try to find domain_id/domain_scope > if domain_scope is None: > for domain_id in self.domain_configs: > domain_id, driver = self._get_domain_id_and_driver(domain_id) > try: > ref = driver.get_user(user_id) > except exception.UserNotFound as ex: > continue > else: > domain_id, driver = self._get_domain_id_and_driver(domain_scope) > ref = driver.get_user(user_id) > 375,376c383,393 < domain_id, driver = self._get_domain_id_and_driver(domain_scope) < group_list = driver.list_groups_for_user(user_id) --- > if domain_scope is None: > for domain_id in self.domain_configs: > domain_id, driver = self._get_domain_id_and_driver(domain_id) > try: > group_list = driver.list_groups_for_user(user_id) > except exception.UserNotFound as ex: > continue > else: > domain_id, driver = self._get_domain_id_and_driver(domain_scope) > group_list = driver.list_groups_for_user(user_id) > ------------------- diff /home/swift/keystone-master_08202013/keystone/common/sql/core.py /usr/local/lib/python2.7/dist-packages/keystone/common/sql/core.py 248a249,252 > def __init__(self, *args, **kwargs): >> super(Base, self).__init__() > To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1218094/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp