Public bug reported: In order to configure Keystone LDAP integration the upstream docs suggests using cn for user_id_attribute [1]. A more stable alternative attribute to cn as a user ID could be objectGUID, but it doesn't work in keystone:
$ openstack user list --domain fd8fbe474db94bb6bd8fa2c29da508c9 ID attribute objectGUID not found in LDAP object CN=..... (HTTP 404) (Request-ID: req-d4564a60-2359-44b4-8b44-76f4345c9df9) ldapsearch returns the attribute correctly using the same query as the one failing in keystone. [1] https://docs.openstack.org/keystone/pike/admin/identity-integrate- with-ldap.html ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1895903 Title: Can't use objectGUID as user_id_attribute in Keystone/LDAP integration Status in OpenStack Identity (keystone): New Bug description: In order to configure Keystone LDAP integration the upstream docs suggests using cn for user_id_attribute [1]. A more stable alternative attribute to cn as a user ID could be objectGUID, but it doesn't work in keystone: $ openstack user list --domain fd8fbe474db94bb6bd8fa2c29da508c9 ID attribute objectGUID not found in LDAP object CN=..... (HTTP 404) (Request-ID: req-d4564a60-2359-44b4-8b44-76f4345c9df9) ldapsearch returns the attribute correctly using the same query as the one failing in keystone. [1] https://docs.openstack.org/keystone/pike/admin/identity-integrate- with-ldap.html To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1895903/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
