https://blueprints.launchpad.net/keystone/+spec/revert-multiple-ldap-
servers
** Changed in: keystone
Status: In Progress => Won't Fix
** Changed in: keystone
Milestone: next => None
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1218094
Title:
Multi domain code not searching domains for LDAP read only users
Status in OpenStack Identity (Keystone):
Won't Fix
Bug description:
We have the need to authenticate users from multiple read-only LDAP
servers. I decided to differentiate the LDAP servers by configuring
them to different domains and then use the new multi-domain backend
keystone feature to authenticate them. The new keystone code
successfully locates and configures multiple domains (decorator
"domains_configured(f)" in file "keystone/identity/core.py" ), but
this information is not applied when locating users (i.e get_user).
The problem/bug has to do with the assumption that all users have
entries in the common-local keystone SQL database when in fact they
may only have entries in any one of the domain specific backends. To
get my local test setup working, I added user search code inline to 2
of the methods in file "keystone/identity/core.py". While my code
samples are not a final fix, they do exemplify the problem and what it
takes to fix it.
I also want to mention that the keystone multi domain code reads files
from the keystone/domains directory over and over again. Eventually
this information should get cached to eliminate the time required to
read files from the hard drive.
------------
diff /home/swift/keystone-master_08202013/keystone/identity/core.py
/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py
32d31
<
37d35
<
282,283c280,291
< domain_id, driver = self._get_domain_id_and_driver(domain_scope)
< ref = driver.get_user(user_id)
---
> # try to find domain_id/domain_scope
> if domain_scope is None:
> for domain_id in self.domain_configs:
> domain_id, driver =
self._get_domain_id_and_driver(domain_id)
> try:
> ref = driver.get_user(user_id)
> except exception.UserNotFound as ex:
> continue
> else:
> domain_id, driver = self._get_domain_id_and_driver(domain_scope)
> ref = driver.get_user(user_id)
>
375,376c383,393
< domain_id, driver = self._get_domain_id_and_driver(domain_scope)
< group_list = driver.list_groups_for_user(user_id)
---
> if domain_scope is None:
> for domain_id in self.domain_configs:
> domain_id, driver =
self._get_domain_id_and_driver(domain_id)
> try:
> group_list = driver.list_groups_for_user(user_id)
> except exception.UserNotFound as ex:
> continue
> else:
> domain_id, driver = self._get_domain_id_and_driver(domain_scope)
> group_list = driver.list_groups_for_user(user_id)
>
-------------------
diff /home/swift/keystone-master_08202013/keystone/common/sql/core.py
/usr/local/lib/python2.7/dist-packages/keystone/common/sql/core.py
248a249,252
> def __init__(self, *args, **kwargs):
>> super(Base, self).__init__()
>
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1218094/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
