[Bug 1782922] Re: LDAP: changing user_id_attribute bricks group mapping
Felipe Reyes
1782922 at bugs.launchpad.net
Thu Nov 28 01:06:50 UTC 2019
tested the package that fixes this bugfollowing the instructions at
https://launchpadlibrarian.net/449185359/bug-1782922-testing.txt,
everything works ok, and no regressions were detected.
testing bed log:
$ tox -e func-smoke
func-smoke installed: DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support,amulet==1.21.0,aodhclient==1.3.0,appdirs==1.4.3,Babel==2.7.0,backports.os==0.1.1,blessings==1.6,bundletester==0.12.2,certifi==2019.9.11,cffi==1.13.1,chardet==3.0.4,charm-tools==2.7.2,charmhelpers==0.20.4,Cheetah3==3.2.4,cliff==2.16.0,cmd2==0.8.9,colander==1.7.0,configparser==4.0.2,contextlib2==0.6.0.post1,coverage==4.5.4,cryptography==2.8,debtcollector==1.22.0,decorator==4.4.0,dict2colander==0.2,distro==1.4.0,distro-info==0.0.0,dogpile.cache==0.8.0,entrypoints==0.3,enum34==1.1.6,extras==1.0.0,fasteners==0.15,fixtures==3.0.0,flake8==2.4.1,funcsigs==1.0.2,functools32==3.2.3.post2,future==0.18.1,futures==3.3.0,futurist==1.9.0,gnocchiclient==3.1.1,httplib2==0.14.0,idna==2.8,importlib-metadata==0.23,ipaddress==1.0.23,iso8601==0.1.12,Jinja2==2.10.3,jmespath==0.9.4,jsonpatch==1.24,jsonpointer==2.0,jsonschema==2.5.1,juju-deployer==0.11.0,juju-wait==2.5.0,jujubundlelib==0.5.6,jujuclient==0.54.0,keyring==18.0.1,keystoneauth1==3.18.0,launchpadlib==1.10.7,lazr.authentication==0.1.3,lazr.restfulclient==0.14.2,lazr.uri==1.0.3,libcharmstore==0.0.9,linecache2==1.0.0,macaroonbakery==1.2.3,MarkupSafe==1.1.1,mccabe==0.3.1,mock==3.0.5,monotonic==1.5,more-itertools==5.0.0,msgpack==0.6.2,munch==2.3.2,netaddr==0.7.19,netifaces==0.10.9,nose==1.3.7,oauth==1.0.1,oauthlib==3.1.0,openstacksdk==0.36.0,os-client-config==1.33.0,os-service-types==1.7.0,osc-lib==1.14.1,oslo.concurrency==3.30.0,oslo.config==6.11.1,oslo.context==2.23.0,oslo.i18n==3.24.0,oslo.log==3.44.1,oslo.serialization==2.29.2,oslo.utils==3.41.2,osprofiler==2.8.2,otherstuf==1.1.0,parse==1.12.1,path.py==11.5.2,pathlib2==2.3.5,pathspec==0.3.4,pbr==5.4.3,pep8==1.7.1,pika==0.13.1,pkg-resources==0.0.0,prettytable==0.7.2,protobuf==3.10.0,pycparser==2.19,pyflakes==0.8.1,pyinotify==0.9.6,pymacaroons==0.13.0,PyNaCl==1.3.0,pyOpenSSL==19.0.0,pyparsing==2.4.2,pyperclip==1.7.0,pyRFC3339==1.1,python-barbicanclient==4.9.0,python-ceilometerclient==2.9.0,python-cinderclient==4.3.0,python-dateutil==2.8.0,python-designateclient==3.0.0,python-glanceclient==2.17.0,python-heatclient==1.18.0,python-keystoneclient==3.22.0,python-manilaclient==1.29.0,python-mimeparse==1.6.0,python-neutronclient==6.14.0,python-novaclient==16.0.0,python-openstackclient==4.0.0,python-subunit==1.3.0,python-swiftclient==3.8.1,pytz==2019.3,pyudev==0.21.0,PyYAML==3.13,requests==2.22.0,requestsexceptions==1.4.0,rfc3986==1.3.2,ruamel.ordereddict==0.4.14,ruamel.yaml==0.15.100,scandir==1.10.0,SecretStorage==2.3.1,simplejson==3.16.0,six==1.12.0,stestr==2.5.1,stevedore==1.31.0,stuf==0.9.16,subprocess32==3.5.4,Tempita==0.5.2,testresources==2.0.1,testtools==2.3.0,theblues==0.5.2,traceback2==1.4.0,translationstring==1.3,unicodecsv==0.14.1,unittest2==1.1.0,urllib3==1.25.6,vergit==1.0.2,virtualenv==16.7.7,voluptuous==0.11.7,wadllib==1.3.3,warlock==1.3.3,wcwidth==0.1.7,WebOb==1.8.5,websocket-client==0.40.0,wrapt==1.11.2,wsgi-intercept==1.9.0,zipp==0.6.0,zope.interface==4.6.0
func-smoke run-test-pre: PYTHONHASHSEED='0'
func-smoke runtests: commands[0] | bundletester -vl DEBUG -r json -o func-results.json gate-basic-xenial-queens --no-destroy
DEBUG:bundletester.utils:Updating JUJU_MODEL: "" -> "laptop:admin/lp1782922-xenial"
DEBUG:root:Bootstrap environment: laptop:admin/lp1782922-xenial
DEBUG:deployer.env:Connecting to laptop:admin/lp1782922-xenial...
DEBUG:jujuclient.connector:Connecting to wss://10.5.0.7:17070/model/a92a4e4e-4efa-48c7-8682-62cfbc070af8/api
DEBUG:deployer.env:Connected.
DEBUG:deployer.env: Terminating machines forcefully
INFO:deployer.env: Waiting for machine termination
DEBUG:jujuclient.connector:Connecting to wss://10.5.0.7:17070/model/a92a4e4e-4efa-48c7-8682-62cfbc070af8/api
DEBUG:root:Waiting for applications to be removed...
DEBUG:runner:call ['/home/freyes/Projects/charms/openstack/builds/keystone-ldap/.tox/func-smoke/bin/charm-proof'] (cwd: /tmp/bundletester-j7cjEm/keystone-ldap)
DEBUG:runner:I: `display-name` not provided, add for custom naming in the UI
DEBUG:runner:I: config.yaml: option ssl_key has no default value
DEBUG:runner:I: config.yaml: option ssl_cert has no default value
DEBUG:runner:I: config.yaml: option ldap-user has no default value
DEBUG:runner:I: config.yaml: option ldap-server has no default value
DEBUG:runner:I: config.yaml: option ssl_ca has no default value
DEBUG:runner:I: config.yaml: option ldap-password has no default value
DEBUG:runner:I: config.yaml: option domain-name has no default value
DEBUG:runner:I: config.yaml: option ldap-suffix has no default value
DEBUG:runner:I: config.yaml: option ldap-config-flags has no default value
DEBUG:runner:I: config.yaml: option tls-ca-ldap has no default value
DEBUG:runner:Exit Code: 0
DEBUG:deployer.env: Terminating machines forcefully
INFO:deployer.env: Waiting for machine termination
DEBUG:jujuclient.connector:Connecting to wss://10.5.0.7:17070/model/a92a4e4e-4efa-48c7-8682-62cfbc070af8/api
DEBUG:root:Waiting for applications to be removed...
DEBUG:runner:call ['/tmp/bundletester-j7cjEm/keystone-ldap/tests/gate-basic-xenial-queens'] (cwd: /tmp/bundletester-j7cjEm/keystone-ldap)
DEBUG:runner:2019-11-27 11:08:36,110 __init__ INFO: OpenStackAmuletDeployment: init
DEBUG:runner:2019-11-27 11:08:36,110 _add_services INFO: OpenStackAmuletDeployment: adding services
DEBUG:runner:2019-11-27 11:08:36,110 _determine_branch_locations INFO: OpenStackAmuletDeployment: determine branch locations
DEBUG:runner:2019-11-27 11:08:40 Starting deployment of laptop:admin/lp1782922-xenial
DEBUG:runner:2019-11-27 11:08:42 Deploying applications...
DEBUG:runner:2019-11-27 11:08:42 Deploying application keystone using cs:~openstack-charmers-next/keystone-467
DEBUG:runner:2019-11-27 11:08:52 Deploying application keystone-ldap using /tmp/charmJ5PVHa/xenial/keystone-ldap
DEBUG:runner:2019-11-27 11:10:35 Deploying application ldap-server using /tmp/charmjlK4UC/xenial/charm-ldap-test-fixture
DEBUG:runner:2019-11-27 11:10:42 Deploying application percona-cluster using cs:~openstack-charmers-next/percona-cluster-356
DEBUG:runner:2019-11-27 11:10:57 Config specifies num units for subordinate: keystone-ldap
DEBUG:runner:2019-11-27 11:22:21 Adding relations...
DEBUG:runner:2019-11-27 11:22:22 Adding relation keystone:shared-db <-> percona-cluster:shared-db
DEBUG:runner:2019-11-27 11:22:22 Adding relation keystone:domain-backend <-> keystone-ldap:domain-backend
DEBUG:runner:2019-11-27 11:26:51 Deployment complete in 1091.41 seconds
DEBUG:runner:2019-11-27 11:27:46,007 _configure_services INFO: OpenStackAmuletDeployment: configure services
DEBUG:runner:2019-11-27 11:27:51,161 __init__ INFO: Waiting on extended status checks...
DEBUG:runner:2019-11-27 11:27:51,162 _auto_wait_for_status INFO: Waiting for extended status on units for 5400s...
DEBUG:runner:2019-11-27 11:27:51,162 _auto_wait_for_status DEBUG: Default extended status wait match: contains READY (case-insensitive)
DEBUG:runner:2019-11-27 11:27:51,163 _auto_wait_for_status DEBUG: Excluding services from extended status match: ['mysql', 'mongodb']
DEBUG:runner:2019-11-27 11:27:51,163 _auto_wait_for_status DEBUG: Waiting up to 5400s for extended status on services: ['keystone-ldap', 'keystone', 'ldap-server', 'percona-cluster']
DEBUG:runner:2019-11-27 11:29:46,075 _auto_wait_for_status INFO: OK
DEBUG:runner:2019-11-27 11:30:02,539 get_default_keystone_session DEBUG: Authenticating keystone admin...
DEBUG:runner:Exit Code: 0
DEBUG:bundletester.utils:Updating JUJU_MODEL: "laptop:admin/lp1782922-xenial" -> ""
_____________________________________________________________________________________________________ summary ______________________________________________________________________________________________________
func-smoke: commands succeeded
congratulations :)
##### scenario 1 #######
$ juju ssh keystone/0 sudo -i
root at juju-070af8-lp1782922-xenial-0:~# vim /etc/keystone/domains/keystone.userdomain.conf
root at juju-070af8-lp1782922-xenial-0:~# vim /etc/keystone/domains/keystone.userdomain.conf
root at juju-070af8-lp1782922-xenial-0:~# logout
Connection to 10.5.0.6 closed.
$ juju config keystone
^C
$ juju config keystone debug
false$ juju config keystone debug=true
$ juju status
Model Controller Cloud/Region Version SLA Timestamp
lp1782922-xenial laptop stsstack/stsstack 2.7-rc6 unsupported 21:47:44-03:00
App Version Status Scale Charm Store Rev OS Notes
keystone 13.0.2 active 1 keystone jujucharms 467 ubuntu
keystone-ldap 13.0.2 active 1 keystone-ldap local 0 ubuntu
ldap-server active 1 ldap-test-fixture local 0 ubuntu
percona-cluster 5.6.37 active 1 percona-cluster jujucharms 356 ubuntu
Unit Workload Agent Machine Public address Ports Message
keystone/0* active idle 0 10.5.0.6 5000/tcp Unit is ready
keystone-ldap/0* active idle 10.5.0.6 Unit is ready
ldap-server/0* active idle 1 10.5.0.11 Unit is ready
percona-cluster/0* active idle 2 10.5.0.19 3306/tcp Unit is ready
Machine State DNS Inst id Series AZ Message
0 started 10.5.0.6 905934a5-4fe0-4c2f-b249-70edfef5a4ca xenial nova ACTIVE
1 started 10.5.0.11 443397eb-e9cb-4a7b-b133-44635d2b3caf xenial nova ACTIVE
2 started 10.5.0.19 fa579222-6b55-4680-b170-1a31214f3573 xenial nova ACTIVE
$ source ~/Projects/charms/openstack/openstack-charm-testing/openrcv3_project
bash: /home/freyes/Projects/charms/openstack/openstack-charm-testing/openrcv3_project: No such file or directory
$ source ~/Projects/charms/openstack/openstack-charm-testing/novarcv3_project
$ openstack user list --domain userdomain
+------------------------------------------------------------------+----------+
| ID | Name |
+------------------------------------------------------------------+----------+
| 1b9a018f848f00823adebee7f33c4c7e89ae468786db0e25b996a95d886d88e1 | Jane Doe |
| 24e6a4cfc9d49781c9412cb85820d845c8a53c0cd6b1117ac7fabb2dafd9d664 | John Doe |
+------------------------------------------------------------------+----------+
$ openstack group list --domain userdomain
+------------------------------------------------------------------+-------+
| ID | Name |
+------------------------------------------------------------------+-------+
| 278964a62a482b347e28a2a8f2ea618453c2e058d7942e68714bd1c6dd141626 | cloud |
+------------------------------------------------------------------+-------+
$ openstack user list --group cloud --domain userdomain
$ juju ssh keystone/0 sudo -i
root at juju-070af8-lp1782922-xenial-0:~# apt-cache policy keystone
keystone:
Installed: 2:13.0.2-0ubuntu1~cloud0
Candidate: 2:13.0.2-0ubuntu1~cloud0
Version table:
*** 2:13.0.2-0ubuntu1~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/queens/main amd64 Packages
100 /var/lib/dpkg/status
2:9.3.0-0ubuntu3.2 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
2:9.3.0-0ubuntu3.1 500
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
2:9.0.0-0ubuntu1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
root at juju-070af8-lp1782922-xenial-0:~# vim /etc/apt/sources.list.d/cloud-archive.list
root at juju-070af8-lp1782922-xenial-0:~# apt-get update -qq
root at juju-070af8-lp1782922-xenial-0:~# apt-cache policy keystone
keystone:
Installed: 2:13.0.2-0ubuntu1~cloud0
Candidate: 2:13.0.2-0ubuntu2~cloud0
Version table:
2:13.0.2-0ubuntu2~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/queens/main amd64 Packages
*** 2:13.0.2-0ubuntu1~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/queens/main amd64 Packages
100 /var/lib/dpkg/status
2:9.3.0-0ubuntu3.2 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
2:9.3.0-0ubuntu3.1 500
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
2:9.0.0-0ubuntu1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
root at juju-070af8-lp1782922-xenial-0:~# apt-get upgrade -qq
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TIME = "es_CL.UTF-8",
LC_MONETARY = "es_CL.UTF-8",
LC_ADDRESS = "es_CL.UTF-8",
LC_TELEPHONE = "es_CL.UTF-8",
LC_NAME = "es_CL.UTF-8",
LC_MEASUREMENT = "es_CL.UTF-8",
LC_IDENTIFICATION = "es_CL.UTF-8",
LC_NUMERIC = "es_CL.UTF-8",
LC_PAPER = "es_CL.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
locale: Cannot set LC_ALL to default locale: No such file or directory
(Reading database ... 70460 files and directories currently installed.)
Preparing to unpack .../dh-python_3.20180325ubuntu2~cloud1_all.deb ...
Unpacking dh-python (3.20180325ubuntu2~cloud1) over (2.20151103ubuntu1.2) ...
Preparing to unpack .../libhogweed4_3.4-1~cloud0_amd64.deb ...
Unpacking libhogweed4:amd64 (3.4-1~cloud0) over (3.2-1ubuntu0.16.04.1) ...
Preparing to unpack .../libnettle6_3.4-1~cloud0_amd64.deb ...
Unpacking libnettle6:amd64 (3.4-1~cloud0) over (3.2-1ubuntu0.16.04.1) ...
Preparing to unpack .../dnsmasq-base_2.79-1~cloud0_amd64.deb ...
Unpacking dnsmasq-base (2.79-1~cloud0) over (2.75-1ubuntu0.16.04.5) ...
Preparing to unpack .../libnuma1_2.0.11-2.1ubuntu0.1~cloud0_amd64.deb ...
Unpacking libnuma1:amd64 (2.0.11-2.1ubuntu0.1~cloud0) over (2.0.11-1ubuntu1.1) ...
Preparing to unpack .../python3-cffi-backend_1.11.5-1~cloud0_amd64.deb ...
Unpacking python3-cffi-backend (1.11.5-1~cloud0) over (1.5.2-1ubuntu1) ...
Preparing to unpack .../python3-chardet_3.0.4-1~cloud0_all.deb ...
Unpacking python3-chardet (3.0.4-1~cloud0) over (2.3.0-2) ...
Preparing to unpack .../python3-dnspython_1.15.0-1~cloud0_all.deb ...
Unpacking python3-dnspython (1.15.0-1~cloud0) over (1.12.0-0ubuntu3) ...
Preparing to unpack .../python3-idna_2.6-1~cloud0_all.deb ...
Unpacking python3-idna (2.6-1~cloud0) over (2.0-3) ...
Preparing to unpack .../keystone_2%3a13.0.2-0ubuntu2~cloud0_all.deb ...
Unpacking keystone (2:13.0.2-0ubuntu2~cloud0) over (2:13.0.2-0ubuntu1~cloud0) ...
Preparing to unpack .../python-keystone_2%3a13.0.2-0ubuntu2~cloud0_all.deb ...
Unpacking python-keystone (2:13.0.2-0ubuntu2~cloud0) over (2:13.0.2-0ubuntu1~cloud0) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for libc-bin (2.23-0ubuntu11) ...
Processing triggers for dbus (1.10.6-1ubuntu3.4) ...
Setting up dh-python (3.20180325ubuntu2~cloud1) ...
Setting up libnettle6:amd64 (3.4-1~cloud0) ...
Setting up libhogweed4:amd64 (3.4-1~cloud0) ...
Setting up dnsmasq-base (2.79-1~cloud0) ...
Setting up libnuma1:amd64 (2.0.11-2.1ubuntu0.1~cloud0) ...
Setting up python3-cffi-backend (1.11.5-1~cloud0) ...
Setting up python3-chardet (3.0.4-1~cloud0) ...
Setting up python3-dnspython (1.15.0-1~cloud0) ...
Setting up python3-idna (2.6-1~cloud0) ...
Setting up python-keystone (2:13.0.2-0ubuntu2~cloud0) ...
Setting up keystone (2:13.0.2-0ubuntu2~cloud0) ...
apache2_invoke keystone.conf: no action - site was disabled by maintainer
Processing triggers for libc-bin (2.23-0ubuntu11) ...
root at juju-070af8-lp1782922-xenial-0:~# apt-cache policy keystone
keystone:
Installed: 2:13.0.2-0ubuntu2~cloud0
Candidate: 2:13.0.2-0ubuntu2~cloud0
Version table:
*** 2:13.0.2-0ubuntu2~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/queens/main amd64 Packages
100 /var/lib/dpkg/status
2:13.0.2-0ubuntu1~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/queens/main amd64 Packages
2:9.3.0-0ubuntu3.2 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
2:9.3.0-0ubuntu3.1 500
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
2:9.0.0-0ubuntu1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
root at juju-070af8-lp1782922-xenial-0:~# logout
Connection to 10.5.0.6 closed.
~/Projects/charms/openstack/openstack-charm-testing ⑂ master $ juju config keystone debug=false
~/Projects/charms/openstack/openstack-charm-testing ⑂ master $ juju status
Model Controller Cloud/Region Version SLA Timestamp
lp1782922-xenial laptop stsstack/stsstack 2.7-rc6 unsupported 21:57:23-03:00
App Version Status Scale Charm Store Rev OS Notes
keystone 13.0.2 active 1 keystone jujucharms 467 ubuntu
keystone-ldap 13.0.2 active 1 keystone-ldap local 0 ubuntu
ldap-server active 1 ldap-test-fixture local 0 ubuntu
percona-cluster 5.6.37 active 1 percona-cluster jujucharms 356 ubuntu
Unit Workload Agent Machine Public address Ports Message
keystone/0* active idle 0 10.5.0.6 5000/tcp Unit is ready
keystone-ldap/0* active idle 10.5.0.6 Unit is ready
ldap-server/0* active idle 1 10.5.0.11 Unit is ready
percona-cluster/0* active idle 2 10.5.0.19 3306/tcp Unit is ready
Machine State DNS Inst id Series AZ Message
0 started 10.5.0.6 905934a5-4fe0-4c2f-b249-70edfef5a4ca xenial nova ACTIVE
1 started 10.5.0.11 443397eb-e9cb-4a7b-b133-44635d2b3caf xenial nova ACTIVE
2 started 10.5.0.19 fa579222-6b55-4680-b170-1a31214f3573 xenial nova ACTIVE
$ openstack user list --domain userdomain
+------------------------------------------------------------------+----------+
| ID | Name |
+------------------------------------------------------------------+----------+
| 1b9a018f848f00823adebee7f33c4c7e89ae468786db0e25b996a95d886d88e1 | Jane Doe |
| 24e6a4cfc9d49781c9412cb85820d845c8a53c0cd6b1117ac7fabb2dafd9d664 | John Doe |
+------------------------------------------------------------------+----------+
$ openstack group list --domain userdomain
+------------------------------------------------------------------+-------+
| ID | Name |
+------------------------------------------------------------------+-------+
| 278964a62a482b347e28a2a8f2ea618453c2e058d7942e68714bd1c6dd141626 | cloud |
+------------------------------------------------------------------+-------+
$ openstack user list --group cloud --domain userdomain
+------------------------------------------------------------------+----------+
| ID | Name |
+------------------------------------------------------------------+----------+
| 24e6a4cfc9d49781c9412cb85820d845c8a53c0cd6b1117ac7fabb2dafd9d664 | John Doe |
| 1b9a018f848f00823adebee7f33c4c7e89ae468786db0e25b996a95d886d88e1 | Jane Doe |
+------------------------------------------------------------------+----------+
##### scenario 2 #####
~/Projects/charms/openstack/openstack-charm-testing ⑂ master $ juju ssh keystone/0 sudo -i
root at juju-070af8-lp1782922-xenial-0:~# vim /etc/keystone/domains/keystone.userdomain.conf
root at juju-070af8-lp1782922-xenial-0:~# logout
Connection to 10.5.0.6 closed.
~/Projects/charms/openstack/openstack-charm-testing ⑂ master $ juju config keystone debug
false ~/Projects/charms/openstack/openstack-charm-testing ⑂ master $ juju config keystone debug=true
~/Projects/charms/openstack/openstack-charm-testing ⑂ master $ juju status
Model Controller Cloud/Region Version SLA Timestamp
lp1782922-xenial laptop stsstack/stsstack 2.7-rc6 unsupported 22:01:15-03:00
App Version Status Scale Charm Store Rev OS Notes
keystone 13.0.2 active 1 keystone jujucharms 467 ubuntu
keystone-ldap 13.0.2 active 1 keystone-ldap local 0 ubuntu
ldap-server active 1 ldap-test-fixture local 0 ubuntu
percona-cluster 5.6.37 active 1 percona-cluster jujucharms 356 ubuntu
Unit Workload Agent Machine Public address Ports Message
keystone/0* active idle 0 10.5.0.6 5000/tcp Unit is ready
keystone-ldap/0* active idle 10.5.0.6 Unit is ready
ldap-server/0* active idle 1 10.5.0.11 Unit is ready
percona-cluster/0* active idle 2 10.5.0.19 3306/tcp Unit is ready
Machine State DNS Inst id Series AZ Message
0 started 10.5.0.6 905934a5-4fe0-4c2f-b249-70edfef5a4ca xenial nova ACTIVE
1 started 10.5.0.11 443397eb-e9cb-4a7b-b133-44635d2b3caf xenial nova ACTIVE
2 started 10.5.0.19 fa579222-6b55-4680-b170-1a31214f3573 xenial nova ACTIVE
$ openstack user list --domain userdomain
+------------------------------------------------------------------+----------+
| ID | Name |
+------------------------------------------------------------------+----------+
| c60ed2d1939faa01214e08b7296073f9f029787a475d5dbd58137df4cf19f895 | Jane Doe |
| a0eb6e5ef6ff52b3f119794e72773c5f9286278335ef1566065f87fa9aa0314f | John Doe |
+------------------------------------------------------------------+----------+
$ openstack group list --domain userdomain
+------------------------------------------------------------------+-------+
| ID | Name |
+------------------------------------------------------------------+-------+
| 278964a62a482b347e28a2a8f2ea618453c2e058d7942e68714bd1c6dd141626 | cloud |
+------------------------------------------------------------------+-------+
$ openstack user list --group cloud --domain userdomain
+------------------------------------------------------------------+----------+
| ID | Name |
+------------------------------------------------------------------+----------+
| a0eb6e5ef6ff52b3f119794e72773c5f9286278335ef1566065f87fa9aa0314f | John Doe |
| c60ed2d1939faa01214e08b7296073f9f029787a475d5dbd58137df4cf19f895 | Jane Doe |
+------------------------------------------------------------------+----------+
** Tags removed: verification-queens-needed
** Tags added: verification-queens-done
** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1782922
Title:
LDAP: changing user_id_attribute bricks group mapping
Status in Ubuntu Cloud Archive:
Triaged
Status in Ubuntu Cloud Archive queens series:
Fix Committed
Status in Ubuntu Cloud Archive rocky series:
Fix Released
Status in Ubuntu Cloud Archive stein series:
Fix Released
Status in Ubuntu Cloud Archive train series:
Fix Released
Status in OpenStack Identity (keystone):
Fix Released
Status in keystone package in Ubuntu:
Fix Released
Status in keystone source package in Bionic:
Fix Committed
Status in keystone source package in Cosmic:
Won't Fix
Status in keystone source package in Disco:
Fix Released
Status in keystone source package in Eoan:
Fix Released
Bug description:
[Impact]
When using the keystone LDAP backend, changing user_id_attribute breaks group mapping. This is because the _dn_to_id() method only calculated the uid to be the first RDN of the DN. _dn_to_id() is updated in the fix to also deal with the case where the uid is set to a different attribute.
[Test Case]
See details in comment #25: https://bugs.launchpad.net/keystone/+bug/1782922/comments/25
[Regression Potential]
The patch takes a minimal approach to the fix and includes unit tests to help ensure the patched code doesn't regress. The patches have landed in all upstream releases back to stable/queens which helps get even more exposure with upstream reviews, gate testing and real deployments.
[Original Description]
Env Details:
Openstack version: Queens (17.0.5)
OS: CentOS 7.5
LDAP: Active Directory, Windows Server 2012R2
We changed the user_id_attribute to sAMAccountName when configuring
keystone. [ user_id_attribute = "sAMAccountName" ;
group_members_are_ids = False ]. Unfortunately this bricks the group
mapping logic in keystone.
The relevant code in keystone:
`list_users_in_group` [1] -> gets all groups from the LDAP server, and then calls `_transform_group_member_ids`. `_transform_group_member_ids` tries to match the user ids (for posixGroups e.g.) or the DN. However DN matching does not match the full DN. It rather takes the first RDN of the DN and computes the keystone user id [2]. The first RDN in Active Directory is the "CN". While the user-create part honors the user_id_attribute and takes "sAMAccountName" in our configuration. The generated user-ids in keystone now do not match anymore and hence group mapping is broken.
A fix could be looking up the user by the DN received from the
'member' attribute of a given group and compare the configured
'user_id_attribute' of the received ldap user id and the in keystone
stored user id. A quick fix could also be to mention that behavior in
the documentation.
/e: related
https://bugs.launchpad.net/keystone/+bug/1231488/comments/19
[1]
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1285
[2]
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L126
[3]
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1296
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1782922/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list