Tuesday, 2019-05-14

*** dklyle has quit IRC		00:11
*** itlinux has joined #openstack-keystone		00:14
*** itlinux has quit IRC		00:22
*** itlinux has joined #openstack-keystone		00:24
*** itlinux has quit IRC		00:25
*** itlinux has joined #openstack-keystone		00:26
openstackgerrit	Merged openstack/oslo.policy master: Cap Bandit below 1.6.0 and update Sphinx requirement https://review.opendev.org/658906	00:39
*** itlinux has quit IRC		00:41
*** itlinux has joined #openstack-keystone		00:44
*** itlinux has quit IRC		00:47
openstackgerrit	caoyuan proposed openstack/keystoneauth master: Replace git.openstack.org URLs with opendev.org URLs https://review.opendev.org/655016	01:22
*** ileixe has joined #openstack-keystone		01:30
*** dklyle has joined #openstack-keystone		01:37
*** dklyle has quit IRC		01:54
*** mvkr has quit IRC		02:41
*** mvkr has joined #openstack-keystone		02:55
*** whoami-rajat has joined #openstack-keystone		02:59
*** jdennis has quit IRC		03:48
*** mvkr has quit IRC		04:03
*** pcaruana\|afk\| has joined #openstack-keystone		04:25
*** pcaruana\|afk\| has quit IRC		04:35
*** shyamb has joined #openstack-keystone		05:20
*** vishalmanchanda has joined #openstack-keystone		05:35
*** shyamb has quit IRC		06:14
*** shyamb has joined #openstack-keystone		06:17
*** xek has joined #openstack-keystone		06:35
*** shyamb has quit IRC		06:45
*** shyamb has joined #openstack-keystone		06:56
*** awalende has joined #openstack-keystone		07:03
openstackgerrit	Jose Castro Leon proposed openstack/keystone master: Allow to filter endpoint groups by name https://review.opendev.org/658359	07:05
*** tesseract has joined #openstack-keystone		07:05
*** rcernin has quit IRC		07:06
*** pcaruana has joined #openstack-keystone		07:12
*** shyamb has quit IRC		07:54
*** vishakha has joined #openstack-keystone		08:10
*** tkajinam has quit IRC		08:14
*** jaosorior has quit IRC		08:25
*** shyamb has joined #openstack-keystone		08:34
*** jaosorior has joined #openstack-keystone		09:41
*** raildo has joined #openstack-keystone		09:53
*** shyamb has quit IRC		10:22
*** jaosorior has quit IRC		10:24
*** shyamb has joined #openstack-keystone		10:46
*** jaosorior has joined #openstack-keystone		11:03
*** josecastroleon has quit IRC		11:35
*** shyamb has quit IRC		11:42
*** shyamb has joined #openstack-keystone		11:49
*** shyamb has quit IRC		12:25
*** shyamb has joined #openstack-keystone		12:25
*** jdennis has joined #openstack-keystone		12:29
*** shyamb has quit IRC		12:34
*** mchlumsky has joined #openstack-keystone		12:41
*** mchlumsky has quit IRC		12:46
*** jamesmcarthur has joined #openstack-keystone		12:46
*** mchlumsky has joined #openstack-keystone		12:50
*** jistr is now known as jistr\|call		12:59
openstackgerrit	caoyuan proposed openstack/oslo.policy master: Replace git.openstack.org URLs with opendev.org URLs https://review.opendev.org/654727	13:14
*** lbragstad has joined #openstack-keystone		13:15
*** ChanServ sets mode: +o lbragstad		13:15
*** dmellado has quit IRC		13:24
*** dmellado has joined #openstack-keystone		13:24
*** jistr\|call is now known as jistr		13:30
*** jamesmcarthur has quit IRC		13:36
*** awalende has quit IRC		13:53
*** awalende has joined #openstack-keystone		13:53
*** jamesmcarthur has joined #openstack-keystone		13:56
*** vishakha has quit IRC		13:56
*** jamesmcarthur has quit IRC		13:57
*** awalende has quit IRC		13:58
*** jamesmcarthur has joined #openstack-keystone		13:58
*** awalende has joined #openstack-keystone		13:59
*** awalende has quit IRC		14:03
*** dklyle has joined #openstack-keystone		14:13
gagehugo	o/	14:51
cmurphy	\o	14:52
knikolla	\o/	15:03
kmalloc	zzzzz \o/	15:03
*** ayoung has quit IRC		15:10
*** mchlumsky has quit IRC		15:13
*** mchlumsky has joined #openstack-keystone		15:15
*** mchlumsky has quit IRC		15:28
*** mchlumsky has joined #openstack-keystone		15:30
*** ayoung has joined #openstack-keystone		15:39
*** vishakha has joined #openstack-keystone		15:46
*** dklyle has quit IRC		15:50
*** dklyle has joined #openstack-keystone		15:52
cmurphy	keystone meeting in 7 minutes in #openstack-meeting-alt	15:53
*** awalende has joined #openstack-keystone		15:54
*** openstackgerrit has quit IRC		15:54
*** awalende has quit IRC		15:59
*** gyee has joined #openstack-keystone		16:01
*** dklyle has quit IRC		16:11
*** dklyle has joined #openstack-keystone		16:16
*** dklyle has quit IRC		16:21
*** dklyle has joined #openstack-keystone		16:23
*** openstackgerrit has joined #openstack-keystone		16:33
*** vishalmanchanda has quit IRC		16:33
openstackgerrit	Douglas Mendizábal proposed openstack/keystone master: Fix documentation typo https://review.opendev.org/659118	16:33
*** jamesmcarthur has quit IRC		16:50
* knikolla goes to get a quick lunch before office hours		16:53
* kmalloc needs breakfast.		16:55
*** jamesmcarthur has joined #openstack-keystone		16:56
openstackgerrit	Raildo Mascena proposed openstack/keystone master: Fixing dn_to_id function for cases were id is not in the DN https://review.opendev.org/649177	16:56
ayoung	raildo, um....I thought that case was covered by lookup?	16:58
*** dklyle has quit IRC		16:59
cmurphy	i'll wait for knikolla and kmalloc to get back before opening office hours	17:00
kmalloc	i haven't left yet	17:00
kmalloc	:P	17:00
raildo	ayoung, hum... This code works fine when we have the id in the DN, if not, Keystone can't find the user, so we need to do the ldap search	17:00
ayoung	I thought that there was already a code path to do that	17:01
kmalloc	sooooooo... you might need to let me pop in and out while getting breakfast.	17:01
*** dklyle has joined #openstack-keystone		17:01
raildo	ayoung, but this patch still WIP, since I'm working with the unit tests to mock the ldap search for that case	17:01
*** jamesmcarthur has quit IRC		17:01
ayoung	I thought this code was only called IF we needed the ID to be extracted from the DN. Maybe it is the search-the-tree code that does it, I forget	17:02
raildo	ayoung, unfortunately, it's not called yet for that scenario, it only does a string manipulation to grab the id from the DN	17:03
ayoung	Nah, there is a hack around it, I'm sure	17:03
raildo	ayoung, great, can you point me for this link?	17:04
ayoung	its called from res_to_model	17:05
ayoung	the logic is in there	17:06
ayoung	that path is only called if there is an id attribute, but it is multi-value	17:06
ayoung	othewise it does the lookup	17:06
ayoung	https://opendev.org/openstack/keystone/src/branch/master/keystone/identity/backends/ldap/common.py#L1314 raildo	17:07
*** jamesmcarthur has joined #openstack-keystone		17:08
ayoung	I'm pretty sure you could inline that function. It should not be called from anywhere else	17:09
raildo	ayoung, I see your point, so on that case, iiuc, it'll return the first id, in the cased that the DN is multivalued, but in the case were we found this issue, it was using AD as backend for LDAP	17:09
raildo	So, when we have something like, 'tree_dn': 'cn=users,dc=example,dc=com','id_attr': 'sAMAccountName', 'sAMAccountName': user_id, This user_id not returned	17:10
ayoung	Open the bug first	17:11
*** jamesmcarthur has quit IRC		17:11
ayoung	I don't think you need this code. I mean, the code I wrote sucks, but you are stuck with it.	17:11
ayoung	the "pull the ID out of the DN" approach was an artifact of me making it work with FreeIPA first, and building a solution based on the faster lookups using the DN.	17:12
ayoung	And not having a SQL shadow table, and all the things that were true in 2011	17:12
raildo	ayoung, sure, agreed and makes sense keep doing on this way	17:13
raildo	ayoung, but, what I didn't understand yet is how to deal with that function when the id is not the DN, without performing an LDAP search query	17:15
ayoung	if you inline that function, you will see that it is only ever executed in the case where the ID IS in the DN	17:16
cmurphy	#startmeeting keystone-office-hours	17:20
openstack	Meeting started Tue May 14 17:20:30 2019 UTC and is due to finish in 60 minutes. The chair is cmurphy. Information about MeetBot at http://wiki.debian.org/MeetBot.	17:20
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	17:20
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"		17:20
*** ChanServ changes topic to "Stein release schedule: https://releases.openstack.org/stein/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/rj0ECz2c/keystone-stein-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )"		17:20
openstack	The meeting name has been set to 'keystone_office_hours'	17:20
cmurphy	is anyone back for office hours?	17:20
raildo	ayoung, we found that issue calling this function: https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L123-L137	17:20
gagehugo	o/	17:21
*** ayoung has quit IRC		17:22
*** canori01 has joined #openstack-keystone		17:24
canori01	Hello, when configuring keystone to authenticate against ldap, is it possible to specify multiple user_tree_dn ?	17:25
cmurphy	okay i'm going to close office hours so we can just have regular discussion, we'll do liaison review asynchronously and finalize at next week's meeting	17:27
cmurphy	#endmeeting	17:27
*** openstack changes topic to "Stein release schedule: https://releases.openstack.org/stein/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/rj0ECz2c/keystone-stein-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )"		17:27
openstack	Meeting ended Tue May 14 17:27:21 2019 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	17:27
openstack	Minutes: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2019/keystone_office_hours.2019-05-14-17.20.html	17:27
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2019/keystone_office_hours.2019-05-14-17.20.txt	17:27
openstack	Log: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2019/keystone_office_hours.2019-05-14-17.20.log.html	17:27
cmurphy	canori01: i don't think it is possible to set multiiple user_tree_dn's	17:27
canori01	ok, thanks	17:28
kmalloc	ok back.	17:28
kmalloc	sorry, took longer to get things.	17:28
*** jamesmcarthur has joined #openstack-keystone		17:31
*** itlinux has joined #openstack-keystone		17:42
knikolla	back from lunch.	17:44
kmalloc	mmmm coffee #2	17:44
kmalloc	lbragstad: mind if i remove the automatic +o from you?	17:46
lbragstad	kmalloc yes please	17:46
lbragstad	er - no i don't mind, yes please remove it :)	17:46
*** itlinux has quit IRC		17:48
*** ChanServ sets mode: -o lbragstad		17:48
kmalloc	lbragstad: ^ there we go, done.	17:49
kmalloc	you should still be able to op yourself manually	17:49
lbragstad	++ thanks	17:49
kmalloc	interacting with chanserv, etc	17:49
*** dklyle has quit IRC		17:52
*** itlinux has joined #openstack-keystone		17:54
*** ayoung has joined #openstack-keystone		17:54
*** jamesmcarthur has quit IRC		17:55
*** jamesmcarthur has joined #openstack-keystone		17:56
*** mvkr has joined #openstack-keystone		17:58
*** jamesmcarthur has quit IRC		18:01
*** jamesmcarthur has joined #openstack-keystone		18:28
*** vishalmanchanda has joined #openstack-keystone		18:34
*** jamesmcarthur has quit IRC		18:48
*** schaney_ has joined #openstack-keystone		18:50
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update the meaning of low-hanging-fruit https://review.opendev.org/659141	18:57
*** itlinux has quit IRC		19:16
*** dklyle has joined #openstack-keystone		19:16
*** dklyle has quit IRC		19:19
*** david-lyle has joined #openstack-keystone		19:19
*** pcaruana has quit IRC		19:19
*** jamesmcarthur has joined #openstack-keystone		19:20
*** awalende has joined #openstack-keystone		19:25
cmurphy	team photos are up https://www.dropbox.com/sh/fydqjehy9h5y728/AADgMGvOMBaVIOUh3IvRfa_Xa/Keystone?dl=0&subfolder_nav_tracking=1	19:25
*** jamesmcarthur has quit IRC		19:27
*** jamesmcarthur_ has joined #openstack-keystone		19:28
*** jamesmcarthur has joined #openstack-keystone		19:29
*** jamesmcarthur_ has quit IRC		19:33
*** cwright has joined #openstack-keystone		19:38
*** david-lyle has quit IRC		19:42
rodrigods	nice!	19:45
knikolla	cool!	19:59
*** vishakha has quit IRC		20:05
*** tesseract has quit IRC		20:06
*** jmlowe has joined #openstack-keystone		20:06
cmurphy	lbragstad: we went through the spec backlog at the end of the ptg and came to http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-goals.html and http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-security-roadmap.html , given that they're pretty closely related what do you think about combining them?	20:15
lbragstad	yeah - that's probably a good idea	20:15
*** jamesmcarthur has quit IRC		20:15
lbragstad	at the time i think i was a little cautious about bloating specs	20:16
cmurphy	alright i will take a stab at that	20:17
*** awalende has quit IRC		20:19
lbragstad	thanks cmurphy	20:19
*** awalende has joined #openstack-keystone		20:20
*** awalende has quit IRC		20:24
*** itlinux has joined #openstack-keystone		20:27
*** jamesmcarthur has joined #openstack-keystone		20:31
*** jamesmcarthur_ has joined #openstack-keystone		20:37
*** jamesmcarthur has quit IRC		20:40
openstackgerrit	Colleen Murphy proposed openstack/keystone-specs master: Combine policy roadmap documents https://review.opendev.org/659159	20:41
*** jamesmcarthur_ has quit IRC		20:41
*** vishalmanchanda has quit IRC		20:44
*** jamesmcarthur has joined #openstack-keystone		20:47
*** jamesmcarthur has quit IRC		20:50
*** jamesmcarthur has joined #openstack-keystone		20:55
*** jamesmcarthur has quit IRC		20:55
*** jamesmcarthur has joined #openstack-keystone		20:55
*** jamesmcarthur has quit IRC		20:59
*** raildo has quit IRC		21:05
*** itlinux has quit IRC		21:07
openstackgerrit	Jim Rollenhagen proposed openstack/keystone master: Revert "Blacklist bandit 1.6.0" https://review.opendev.org/659164	21:10
jroll	^ this is a much cleaner fix, when folks have time	21:10
*** jamesmcarthur has joined #openstack-keystone		21:20
*** joshualyle has joined #openstack-keystone		21:23
*** dklyle has joined #openstack-keystone		21:27
joshualyle	I'm trying to configure LDAP on keystone at the moment and I've set driver=sql, domain_config_dir=/etc/keystone/domains, and domain_specific_drivers_enabled=True in the [identity] section and created a /etc/keystone/domains/blah.conf for my LDAP. How do I indicate that I want to login with LDAP vs the default SQL-based auth on the login page or do I need to set the multi-domain setting on horizon to make that distinction?	21:28
cmurphy	joshualyle: you need to use the multi-domain setting in horizon to let the user type or select the domain	21:29
joshualyle	so you can have EITHER the default SQL creds or LDAP?	21:29
joshualyle	for the default style login	21:29
*** jamesmcarthur has quit IRC		21:30
*** jamesmcarthur has joined #openstack-keystone		21:31
cmurphy	for the default login without setting up multidomain in horizon it would just default to the Default domain and ldap users wouldn't be able to log in	21:32
*** jamesmcarthur has quit IRC		21:36
*** jamesmcarthur has joined #openstack-keystone		21:40
*** jamesmcarthur has quit IRC		21:44
*** dklyle has quit IRC		21:44
*** dklyle has joined #openstack-keystone		21:44
*** mchlumsky has quit IRC		21:47
*** dklyle has quit IRC		21:50
*** rcernin has joined #openstack-keystone		22:00
*** whoami-rajat has quit IRC		22:18
*** tkajinam has joined #openstack-keystone		22:52
joshualyle	I'm trying to figure out ldap auth but cannot get it for the life of me. I can see the record just fine with the ldapsearch command but keystone is using (objectClass=xxxx) as a filter and it seems like that's throwing everything off. Is there a way to get it to just search by cn?	23:07
joshualyle	the ldap record has 4 definitions for objectClass	23:07
*** jamesmcarthur has joined #openstack-keystone		23:17
joshualyle	is there a way to disable keystone from trying to filter by user_id_attribute or user_objectclass? I can find the record just fine with just wildcarding them with ldapsearch but whatever keystone does with them prevents the record from being found	23:26
openstackgerrit	Merged openstack/keystone master: Fix documentation typo https://review.opendev.org/659118	23:44
*** irclogbot_0 has quit IRC		23:45
*** lbragstad has quit IRC		23:47
*** irclogbot_2 has joined #openstack-keystone		23:48
*** jamesmcarthur has quit IRC		23:49
*** itlinux has joined #openstack-keystone		23:49
*** jamesmcarthur has joined #openstack-keystone		23:49
*** jamesmcarthur has quit IRC		23:54

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!