** Also affects: keystone/kilo
Importance: Undecided
Status: New
** Changed in: keystone/kilo
Status: New => Fix Committed
** Changed in: keystone/kilo
Milestone: None => 2015.1.3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1515302
Title:
Group membership attribute is hard-coded when using
'user_enable_emulation'
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) kilo series:
Fix Committed
Bug description:
The 'group_member_attribute' is used in Keystone when looking for
groups in LDAP to find membership. But, when using
'user_enable_emulation', the following code in
keystone/common/ldap/core.py instead references a hard coded 'member'
entry instead of 'group_member_attribute'.
---
def _get_enabled(self, object_id):
dn = self._id_to_dn(object_id)
query = '(member=%s)' % dn <---- Here
with self.get_connection() as conn:
try:
enabled_value =
conn.search_s(self.enabled_emulation_dn,
ldap.SCOPE_BASE,
query, ['cn'])
except ldap.NO_SUCH_OBJECT:
return False
else:
return bool(enabled_value)
---
As a result, when integrating Keystone with an LDAP back-end and using
the 'enabled_user_emulation' feature with a group for which the
membership attribute is 'uniquemember', users are listed as not
enabled.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1515302/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
