[Bug 1782922] Re: LDAP: changing user_id_attribute bricks group mapping
Felipe Reyes
1782922 at bugs.launchpad.net
Thu Oct 24 00:30:25 UTC 2019
Hello Corey,
I was trying to verify the SRU that it's in disco-proposed without success.
IIUC, the commands "openstack user list" and "openstack group list" should fail
when the package installed is 2:15.0.0-0ubuntu1.1 , here is the output of my
terminal, could you help me understand if I'm doing something wrong?
$ juju add-model lp1782922 && sleep 5 && tox -e func-smoke
Added 'lp1782922' model on stsstack/stsstack with credential 'laptop' for user 'laptop'
func-smoke installed: DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support,amulet==1.21.0,aodhclient==1.3.0,appdirs==1.4.3,Babel==2.7.0,backports.os==0.1.1,blessings==1.6,bundletester==0.12.2,certifi==2019.9.11,cffi==1.13.1,chardet==3.0.4,charm-tools==2.7.2,charmhelpers==0.20.4,Cheetah3==3.2.4,cliff==2.16.0,cmd2==0.8.9,colander==1.7.0,configparser==4.0.2,contextlib2==0.6.0.post1,coverage==4.5.4,cryptography==2.8,debtcollector==1.22.0,decorator==4.4.0,dict2colander==0.2,distro==1.4.0,distro-info==0.0.0,dogpile.cache==0.8.0,entrypoints==0.3,enum34==1.1.6,extras==1.0.0,fasteners==0.15,fixtures==3.0.0,flake8==2.4.1,funcsigs==1.0.2,functools32==3.2.3.post2,future==0.18.1,futures==3.3.0,futurist==1.9.0,gnocchiclient==3.1.1,httplib2==0.14.0,idna==2.8,importlib-metadata==0.23,ipaddress==1.0.23,iso8601==0.1.12,Jinja2==2.10.3,jmespath==0.9.4,jsonpatch==1.24,jsonpointer==2.0,jsonschema==2.5.1,juju-deployer==0.11.0,juju-wait==2.5.0,jujubundlelib==0.5.6,jujuclient==0.54.0,keyring==18.0.1,keystoneauth1==3.18.0,launchpadlib==1.10.7,lazr.authentication==0.1.3,lazr.restfulclient==0.14.2,lazr.uri==1.0.3,libcharmstore==0.0.9,linecache2==1.0.0,macaroonbakery==1.2.3,MarkupSafe==1.1.1,mccabe==0.3.1,mock==3.0.5,monotonic==1.5,more-itertools==5.0.0,msgpack==0.6.2,munch==2.3.2,netaddr==0.7.19,netifaces==0.10.9,nose==1.3.7,oauth==1.0.1,oauthlib==3.1.0,openstacksdk==0.36.0,os-client-config==1.33.0,os-service-types==1.7.0,osc-lib==1.14.1,oslo.concurrency==3.30.0,oslo.config==6.11.1,oslo.context==2.23.0,oslo.i18n==3.24.0,oslo.log==3.44.1,oslo.serialization==2.29.2,oslo.utils==3.41.2,osprofiler==2.8.2,otherstuf==1.1.0,parse==1.12.1,path.py==11.5.2,pathlib2==2.3.5,pathspec==0.3.4,pbr==5.4.3,pep8==1.7.1,pika==0.13.1,pkg-resources==0.0.0,prettytable==0.7.2,protobuf==3.10.0,pycparser==2.19,pyflakes==0.8.1,pyinotify==0.9.6,pymacaroons==0.13.0,PyNaCl==1.3.0,pyOpenSSL==19.0.0,pyparsing==2.4.2,pyperclip==1.7.0,pyRFC3339==1.1,python-barbicanclient==4.9.0,python-ceilometerclient==2.9.0,python-cinderclient==4.3.0,python-dateutil==2.8.0,python-designateclient==3.0.0,python-glanceclient==2.17.0,python-heatclient==1.18.0,python-keystoneclient==3.22.0,python-manilaclient==1.29.0,python-mimeparse==1.6.0,python-neutronclient==6.14.0,python-novaclient==16.0.0,python-openstackclient==4.0.0,python-subunit==1.3.0,python-swiftclient==3.8.1,pytz==2019.3,pyudev==0.21.0,PyYAML==3.13,requests==2.22.0,requestsexceptions==1.4.0,rfc3986==1.3.2,ruamel.ordereddict==0.4.14,ruamel.yaml==0.15.100,scandir==1.10.0,SecretStorage==2.3.1,simplejson==3.16.0,six==1.12.0,stestr==2.5.1,stevedore==1.31.0,stuf==0.9.16,subprocess32==3.5.4,Tempita==0.5.2,testresources==2.0.1,testtools==2.3.0,theblues==0.5.2,traceback2==1.4.0,translationstring==1.3,unicodecsv==0.14.1,unittest2==1.1.0,urllib3==1.25.6,vergit==1.0.2,virtualenv==16.7.7,voluptuous==0.11.7,wadllib==1.3.3,warlock==1.3.3,wcwidth==0.1.7,WebOb==1.8.5,websocket-client==0.40.0,wrapt==1.11.2,wsgi-intercept==1.9.0,zipp==0.6.0,zope.interface==4.6.0
func-smoke run-test-pre: PYTHONHASHSEED='0'
func-smoke runtests: commands[0] | bundletester -vl DEBUG -r json -o func-results.json dev-basic-disco-stein --no-destroy
DEBUG:bundletester.utils:Updating JUJU_MODEL: "" -> "stsstack-stsstack:laptop/lp1782922"
DEBUG:root:Bootstrap environment: stsstack-stsstack:laptop/lp1782922
DEBUG:deployer.env:Connecting to stsstack-stsstack:laptop/lp1782922...
DEBUG:jujuclient.connector:Connecting to wss://10.5.0.5:17070/model/e7ab1a55-5cb4-4787-827f-72c414ce7443/api
DEBUG:deployer.env:Connected.
DEBUG:deployer.env: Terminating machines forcefully
INFO:deployer.env: Waiting for machine termination
DEBUG:jujuclient.connector:Connecting to wss://10.5.0.5:17070/model/e7ab1a55-5cb4-4787-827f-72c414ce7443/api
DEBUG:root:Waiting for applications to be removed...
DEBUG:runner:call ['/home/freyes/Projects/charms/openstack/builds/keystone-ldap/.tox/func-smoke/bin/charm-proof'] (cwd: /tmp/bundletester-0AQeci/keystone-ldap)
DEBUG:runner:I: `display-name` not provided, add for custom naming in the UI
DEBUG:runner:I: config.yaml: option ssl_key has no default value
DEBUG:runner:I: config.yaml: option ssl_cert has no default value
DEBUG:runner:I: config.yaml: option ldap-user has no default value
DEBUG:runner:I: config.yaml: option ldap-server has no default value
DEBUG:runner:I: config.yaml: option ssl_ca has no default value
DEBUG:runner:I: config.yaml: option ldap-password has no default value
DEBUG:runner:I: config.yaml: option domain-name has no default value
DEBUG:runner:I: config.yaml: option ldap-suffix has no default value
DEBUG:runner:I: config.yaml: option ldap-config-flags has no default value
DEBUG:runner:I: config.yaml: option tls-ca-ldap has no default value
DEBUG:runner:Exit Code: 0
DEBUG:deployer.env: Terminating machines forcefully
INFO:deployer.env: Waiting for machine termination
DEBUG:jujuclient.connector:Connecting to wss://10.5.0.5:17070/model/e7ab1a55-5cb4-4787-827f-72c414ce7443/api
DEBUG:root:Waiting for applications to be removed...
DEBUG:runner:call ['/tmp/bundletester-0AQeci/keystone-ldap/tests/dev-basic-disco-stein'] (cwd: /tmp/bundletester-0AQeci/keystone-ldap)
DEBUG:runner:2019-10-23 20:46:33,392 __init__ INFO: OpenStackAmuletDeployment: init
DEBUG:runner:2019-10-23 20:46:33,392 _add_services INFO: OpenStackAmuletDeployment: adding services
DEBUG:runner:2019-10-23 20:46:33,392 _determine_branch_locations INFO: OpenStackAmuletDeployment: determine branch locations
DEBUG:runner:2019-10-23 20:46:37 Starting deployment of stsstack-stsstack:laptop/lp1782922
DEBUG:runner:2019-10-23 20:46:40 Deploying applications...
DEBUG:runner:2019-10-23 20:46:40 Deploying application keystone using cs:~openstack-charmers-next/keystone-466
DEBUG:runner:2019-10-23 20:46:48 Deploying application keystone-ldap using /tmp/charmNpMIBv/disco/keystone-ldap
DEBUG:runner:2019-10-23 20:47:37 Deploying application ldap-server using /tmp/charmJYDRRa/disco/charm-ldap-test-fixture
DEBUG:runner:2019-10-23 20:47:45 Deploying application percona-cluster using cs:~openstack-charmers-next/percona-cluster-355
DEBUG:runner:2019-10-23 20:47:59 Config specifies num units for subordinate: keystone-ldap
DEBUG:runner:2019-10-23 20:57:47 Adding relations...
DEBUG:runner:2019-10-23 20:57:48 Adding relation keystone:shared-db <-> percona-cluster:shared-db
DEBUG:runner:2019-10-23 20:57:48 Adding relation keystone:domain-backend <-> keystone-ldap:domain-backend
DEBUG:runner:2019-10-23 21:02:15 Deployment complete in 938.02 seconds
DEBUG:runner:2019-10-23 21:03:19,577 _configure_services INFO: OpenStackAmuletDeployment: configure services
DEBUG:runner:2019-10-23 21:03:25,258 __init__ INFO: Waiting on extended status checks...
DEBUG:runner:2019-10-23 21:03:25,259 _auto_wait_for_status INFO: Waiting for extended status on units for 5400s...
DEBUG:runner:2019-10-23 21:03:25,259 _auto_wait_for_status DEBUG: Default extended status wait match: contains READY (case-insensitive)
DEBUG:runner:2019-10-23 21:03:25,260 _auto_wait_for_status DEBUG: Excluding services from extended status match: ['mysql', 'mongodb']
DEBUG:runner:2019-10-23 21:03:25,260 _auto_wait_for_status DEBUG: Waiting up to 5400s for extended status on services: ['keystone-ldap', 'keystone', 'ldap-server', 'percona-cluster']
DEBUG:runner:2019-10-23 21:05:44,955 _auto_wait_for_status INFO: OK
DEBUG:runner:2019-10-23 21:06:02,092 get_default_keystone_session DEBUG: Authenticating keystone admin...
DEBUG:runner:Exit Code: 0
DEBUG:bundletester.utils:Updating JUJU_MODEL: "stsstack-stsstack:laptop/lp1782922" -> ""
____________________________________________________________________ summary ____________________________________________________________________
func-smoke: commands succeeded
congratulations :)
$ juju ssh keystone/0 sudo su -
root at juju-ce7443-lp1782922-0:~# vim /etc/keystone/domains/keystone.userdomain.conf
root at juju-ce7443-lp1782922-0:~# systemctl restart apache2
root at juju-ce7443-lp1782922-0:~# logout
Connection to 10.5.0.11 closed.
$ juju ssh keystone/0 sudo grep group_ /etc/keystone/domains/keystone.userdomain.conf
group_allow_create = False
group_allow_update = False
group_allow_delete = False
group_id_attribute = gidNumber
group_name_attribute = gidNumber
group_member_attribute = memberUid
group_members_are_ids = True
group_objectclass = posixGroup
#group_id_attribute = businessCategory
#group_name_attribute = businessCategory
#group_member_attribute = member
#group_members_are_ids = False
#group_objectclass = groupOfNames
group_tree_dn = ou=groups,dc=test,dc=com
Connection to 10.5.0.11 closed.
$ # scenario 1
$ juju ssh keystone/0 apt policy keystone
keystone:
Installed: 2:15.0.0-0ubuntu1.1
Candidate: 2:15.0.0-0ubuntu1.1
Version table:
*** 2:15.0.0-0ubuntu1.1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu disco-updates/main amd64 Packages
100 /var/lib/dpkg/status
2:15.0.0-0ubuntu1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu disco/main amd64 Packages
Connection to 10.5.0.11 closed.
$ source ~/Projects/charms/stsstack-bundles/openstack/novarc
$ openstack user list --domain userdomain
+------------------------------------------------------------------+---------+
| ID | Name |
+------------------------------------------------------------------+---------+
| fca724553c7756d1e9685b44da25da773a0565fdf9465fa96444331f54686a01 | janedoe |
| 4586f674fa6708aad5ed4018b04ddfc518b159413af4ccefaec1cd06e3aeb0a1 | johndoe |
+------------------------------------------------------------------+---------+
$ openstack group list --domain userdomain
+------------------------------------------------------------------+------+
| ID | Name |
+------------------------------------------------------------------+------+
| 3755aa0c2ac48b44bcf712e87a1c8f981c8aad6beb095474559971c5b14f928f | 500 |
+------------------------------------------------------------------+------+
$ openstack user list --group 500 --domain userdomain
+------------------------------------------------------------------+---------+
| ID | Name |
+------------------------------------------------------------------+---------+
| 4586f674fa6708aad5ed4018b04ddfc518b159413af4ccefaec1cd06e3aeb0a1 | johndoe |
| fca724553c7756d1e9685b44da25da773a0565fdf9465fa96444331f54686a01 | janedoe |
+------------------------------------------------------------------+---------+
$ #### scenario 2
$ juju ssh keystone/0 sudo su -
root at juju-ce7443-lp1782922-0:~# vim /etc/keystone/domains/keystone.userdomain.conf
root at juju-ce7443-lp1782922-0:~# systemctl restart apache2
root at juju-ce7443-lp1782922-0:~# logout
Connection to 10.5.0.11 closed.
$ juju ssh keystone/0 sudo grep group_ /etc/keystone/domains/keystone.userdomain.conf
group_allow_create = False
group_allow_update = False
group_allow_delete = False
#group_id_attribute = gidNumber
#group_name_attribute = gidNumber
#group_member_attribute = memberUid
#group_members_are_ids = True
#group_objectclass = posixGroup
group_id_attribute = businessCategory
group_name_attribute = businessCategory
group_member_attribute = member
group_members_are_ids = False
group_objectclass = groupOfNames
group_tree_dn = ou=groups,dc=test,dc=com
Connection to 10.5.0.11 closed.
$ openstack user list --domain userdomain
+------------------------------------------------------------------+---------+
| ID | Name |
+------------------------------------------------------------------+---------+
| fca724553c7756d1e9685b44da25da773a0565fdf9465fa96444331f54686a01 | janedoe |
| 4586f674fa6708aad5ed4018b04ddfc518b159413af4ccefaec1cd06e3aeb0a1 | johndoe |
+------------------------------------------------------------------+---------+
$ openstack group list --domain userdomain
+------------------------------------------------------------------+-------+
| ID | Name |
+------------------------------------------------------------------+-------+
| a149dbfdc392a207da41189749fa57b265d5f0dde697aa1a1d72963db226c5f6 | cloud |
+------------------------------------------------------------------+-------+
$ openstack user list --group cloud --domain userdomain
+------------------------------------------------------------------+---------+
| ID | Name |
+------------------------------------------------------------------+---------+
| 4586f674fa6708aad5ed4018b04ddfc518b159413af4ccefaec1cd06e3aeb0a1 | johndoe |
| fca724553c7756d1e9685b44da25da773a0565fdf9465fa96444331f54686a01 | janedoe |
+------------------------------------------------------------------+---------+
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1782922
Title:
LDAP: changing user_id_attribute bricks group mapping
Status in Ubuntu Cloud Archive:
Triaged
Status in Ubuntu Cloud Archive queens series:
Triaged
Status in Ubuntu Cloud Archive rocky series:
Fix Committed
Status in Ubuntu Cloud Archive stein series:
Fix Committed
Status in Ubuntu Cloud Archive train series:
Fix Released
Status in OpenStack Identity (keystone):
Fix Released
Status in keystone package in Ubuntu:
Fix Released
Status in keystone source package in Bionic:
Triaged
Status in keystone source package in Cosmic:
Won't Fix
Status in keystone source package in Disco:
Fix Committed
Status in keystone source package in Eoan:
Fix Released
Bug description:
[Impact]
When using the keystone LDAP backend, changing user_id_attribute breaks group mapping. This is because the _dn_to_id() method only calculated the uid to be the first RDN of the DN. _dn_to_id() is updated in the fix to also deal with the case where the uid is set to a different attribute.
[Test Case]
See details in comment #5: https://bugs.launchpad.net/keystone/+bug/1782922/comments/5
[Regression Potential]
The patch takes a minimal approach to the fix and includes unit tests to help ensure the patched code doesn't regress. The patches have landed in all upstream releases back to stable/queens which helps get even more exposure with upstream reviews, gate testing and real deployments.
[Original Description]
Env Details:
Openstack version: Queens (17.0.5)
OS: CentOS 7.5
LDAP: Active Directory, Windows Server 2012R2
We changed the user_id_attribute to sAMAccountName when configuring
keystone. [ user_id_attribute = "sAMAccountName" ;
group_members_are_ids = False ]. Unfortunately this bricks the group
mapping logic in keystone.
The relevant code in keystone:
`list_users_in_group` [1] -> gets all groups from the LDAP server, and then calls `_transform_group_member_ids`. `_transform_group_member_ids` tries to match the user ids (for posixGroups e.g.) or the DN. However DN matching does not match the full DN. It rather takes the first RDN of the DN and computes the keystone user id [2]. The first RDN in Active Directory is the "CN". While the user-create part honors the user_id_attribute and takes "sAMAccountName" in our configuration. The generated user-ids in keystone now do not match anymore and hence group mapping is broken.
A fix could be looking up the user by the DN received from the
'member' attribute of a given group and compare the configured
'user_id_attribute' of the received ldap user id and the in keystone
stored user id. A quick fix could also be to mention that behavior in
the documentation.
/e: related
https://bugs.launchpad.net/keystone/+bug/1231488/comments/19
[1]
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1285
[2]
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L126
[3]
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L1296
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1782922/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list