Ask Your Question

# Revision history [back]

I have found the bug in the keystone/common/ldap/core.py module. The problem is with the id_to_dn_string function. The function incorrectly assembles the object's distinguishedName if any attribute other than cn is used for the user_id_attribute. I can work around the issue by commenting out the lines that call this function within the associated function id_to_dn as shown below:

def _id_to_dn_string(self, id):
return '%s=%s,%s' % (self.id_attr,
ldap.dn.escape_dn_chars(str(id)),
self.tree_dn)

def _id_to_dn(self, id):
#if self.LDAP_SCOPE == ldap.SCOPE_ONELEVEL:
# return self._id_to_dn_string(id)
conn = self.get_connection()
search_result = conn.search_s(
self.tree_dn, self.LDAP_SCOPE,
'(&(%(id_attr)s=%(id)s)(objectclass=%(objclass)s))' %
{'id_attr': self.id_attr,
'id': ldap.filter.escape_filter_chars(str(id)),
'objclass': self.object_class})
if search_result:
dn, attrs = search_result[0]
return dn
else:
return self._id_to_dn_string(id)


With these lines removed, I can successfully use samAccountName as the user_id_attribute. I hope this is helpful!