LDAP user name attribute is case sensitive

Bug #1753585 reported by Matthew Edmonds
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Vishakha Agarwal

Bug Description

keystone was not able to find any users while the LDAP user name attribute was configured to "samaccountname", but could find users when reconfigured to use "sAMAccountName". LDAP is not supposed to be case-sensitive, so either should work.

This appears to be a result of https://github.com/openstack/keystone/blob/12.0.0.0rc2/keystone/identity/backends/ldap/common.py#L1403 looking for that attribute in a case-sensitive manner, though there may be other places as well.

found in: Pike

Revision history for this message
Lance Bragstad (lbragstad) wrote :

The workaround here is to reconfigure the username attribute configuration option in keystone to be an exact match of what is in LDAP, correct?

Changed in keystone:
status: New → Confirmed
importance: Undecided → Low
tags: added: ldap
Revision history for this message
Matthew Edmonds (edmondsw) wrote :

correct

Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/603345

Changed in keystone:
status: Confirmed → In Progress
Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Adam Young (ayoung)
Changed in keystone:
assignee: Adam Young (ayoung) → Colleen Murphy (krinkle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/603345
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=816b472a9d20e4e7cfe33f2f40ef5daae590795e
Submitter: Zuul
Branch: master

commit 816b472a9d20e4e7cfe33f2f40ef5daae590795e
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 18 15:17:07 2018 +0530

    LDAP attribute names non-case-sensitive

    keystone was not able to find any users while
    the LDAP user name attribute was configured to
    "samaccountname", but could find users when
    reconfigured to use "sAMAccountName". LDAP is
    not supposed to be case-sensitive, so either
    should work.

    This patch addresses the above problem by making
    both the attributes into lower case. Also updated
    the ldap_result example supporting python3.

    Change-Id: I51813ac41489baed04f3cadbccd748e03025313e
    Closes-Bug: #1753585

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/607056

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/607197

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/607198

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/queens)

Reviewed: https://review.openstack.org/607197
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c1e96d42d3446614c2475b5716a075eac67ea73f
Submitter: Zuul
Branch: stable/queens

commit c1e96d42d3446614c2475b5716a075eac67ea73f
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 18 15:17:07 2018 +0530

    LDAP attribute names non-case-sensitive

    keystone was not able to find any users while
    the LDAP user name attribute was configured to
    "samaccountname", but could find users when
    reconfigured to use "sAMAccountName". LDAP is
    not supposed to be case-sensitive, so either
    should work.

    This patch addresses the above problem by making
    both the attributes into lower case. Also updated
    the ldap_result example supporting python3.

    Change-Id: I51813ac41489baed04f3cadbccd748e03025313e
    Closes-Bug: #1753585
    (cherry picked from commit 816b472a9d20e4e7cfe33f2f40ef5daae590795e)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/pike)

Reviewed: https://review.openstack.org/607198
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=55fda22d5b9f6c99ce093aefe13b3cb728e47748
Submitter: Zuul
Branch: stable/pike

commit 55fda22d5b9f6c99ce093aefe13b3cb728e47748
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 18 15:17:07 2018 +0530

    LDAP attribute names non-case-sensitive

    keystone was not able to find any users while
    the LDAP user name attribute was configured to
    "samaccountname", but could find users when
    reconfigured to use "sAMAccountName". LDAP is
    not supposed to be case-sensitive, so either
    should work.

    This patch addresses the above problem by making
    both the attributes into lower case. Also updated
    the ldap_result example supporting python3.

    Change-Id: I51813ac41489baed04f3cadbccd748e03025313e
    Closes-Bug: #1753585
    (cherry picked from commit 816b472a9d20e4e7cfe33f2f40ef5daae590795e)

tags: added: in-stable-pike
tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/rocky)

Reviewed: https://review.openstack.org/607056
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=15a8ae937d1aa2a288770e06c99c36ba28dae481
Submitter: Zuul
Branch: stable/rocky

commit 15a8ae937d1aa2a288770e06c99c36ba28dae481
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 18 15:17:07 2018 +0530

    LDAP attribute names non-case-sensitive

    keystone was not able to find any users while
    the LDAP user name attribute was configured to
    "samaccountname", but could find users when
    reconfigured to use "sAMAccountName". LDAP is
    not supposed to be case-sensitive, so either
    should work.

    This patch addresses the above problem by making
    both the attributes into lower case. Also updated
    the ldap_result example supporting python3.

    Change-Id: I51813ac41489baed04f3cadbccd748e03025313e
    Closes-Bug: #1753585
    (cherry picked from commit 816b472a9d20e4e7cfe33f2f40ef5daae590795e)

Colleen Murphy (krinkle)
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 13.0.2

This issue was fixed in the openstack/keystone 13.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 12.0.2

This issue was fixed in the openstack/keystone 12.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 14.0.1

This issue was fixed in the openstack/keystone 14.0.1 release.

Changed in keystone:
milestone: none → stein-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.