Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

I have found the bug in the keystone/common/ldap/ module. The problem is with the id_to_dn_string function. The function incorrectly assembles the object's distinguishedName if any attribute other than cn is used for the user_id_attribute. I can work around the issue by commenting out the lines that call this function within the associated function id_to_dn as shown below:

def _id_to_dn_string(self, id):
    return '%s=%s,%s' % (self.id_attr,

def _id_to_dn(self, id):
    #if self.LDAP_SCOPE == ldap.SCOPE_ONELEVEL:
    # return self._id_to_dn_string(id)
    conn = self.get_connection()
    search_result = conn.search_s(
        self.tree_dn, self.LDAP_SCOPE,
        '(&(%(id_attr)s=%(id)s)(objectclass=%(objclass)s))' %
        {'id_attr': self.id_attr,
         'id': ldap.filter.escape_filter_chars(str(id)),
         'objclass': self.object_class})
    if search_result:
        dn, attrs = search_result[0]
        return dn
        return self._id_to_dn_string(id)

With these lines removed, I can successfully use samAccountName as the user_id_attribute. I hope this is helpful!