Merge "Fix create and user-role-add in LDAP backend"

keystone/assignment/backends/ldap.py

@@ -536,7 +536,8 @@ class RoleApi(common_ldap.BaseLdap):
                 raise Exception(_("Role %s not found") % (role_id,))
 
             attrs = [('objectClass', [self.object_class]),
-                     (self.member_attribute, [user_dn])]
+                     (self.member_attribute, [user_dn]),
+                     (self.id_attr, [role_id])]
 
             if self.use_dumb_member:
                 attrs[1][1].append(self.dumb_member)

keystone/common/ldap/core.py

@@ -1662,8 +1662,18 @@ class EnabledEmuMixIn(BaseLdap):
         enabled_emulation_dn = '%s_enabled_emulation_dn' % self.options_name
         self.enabled_emulation_dn = getattr(conf.ldap, enabled_emulation_dn)
         if not self.enabled_emulation_dn:
-            self.enabled_emulation_dn = ('cn=enabled_%ss,%s' %
-                                         (self.options_name, self.tree_dn))
+            naming_attr_name = 'cn'
+            naming_attr_value = 'enabled_%ss' % self.options_name
+            sub_vals = (naming_attr_name, naming_attr_value, self.tree_dn)
+            self.enabled_emulation_dn = '%s=%s,%s' % sub_vals
+            naming_attr = (naming_attr_name, [naming_attr_value])
+        else:
+            # Extract the attribute name and value from the configured DN.
+            naming_dn = utf8_decode(
+                ldap.dn.str2dn(utf8_encode(self.enabled_emulation_dn)))
+            naming_rdn = naming_dn[0][0]
+            naming_attr = (naming_rdn[0], [naming_rdn[1]])
+        self.enabled_emulation_naming_attr = naming_attr
 
     def _get_enabled(self, object_id):
         dn = self._id_to_dn(object_id)
@@ -1688,8 +1698,8 @@ class EnabledEmuMixIn(BaseLdap):
                     conn.modify_s(self.enabled_emulation_dn, modlist)
                 except ldap.NO_SUCH_OBJECT:
                     attr_list = [('objectClass', ['groupOfNames']),
-                                 ('member',
-                                     [self._id_to_dn(object_id)])]
+                                 ('member', [self._id_to_dn(object_id)]),
+                                 self.enabled_emulation_naming_attr]
                     if self.use_dumb_member:
                         attr_list[1][1].append(self.dumb_member)
                     conn.add_s(self.enabled_emulation_dn, attr_list)

keystone/tests/fakeldap.py

@@ -247,6 +247,12 @@ class FakeLdap(core.LDAPHandler):
     def dn(self, dn):
         return core.utf8_decode(dn)
 
+    def _dn_to_id_attr(self, dn):
+        return core.utf8_decode(ldap.dn.str2dn(core.utf8_encode(dn))[0][0][0])
+
+    def _dn_to_id_value(self, dn):
+        return core.utf8_decode(ldap.dn.str2dn(core.utf8_encode(dn))[0][0][1])
+
     def key(self, dn):
         return '%s%s' % (self.__prefix, self.dn(dn))
 
@@ -288,12 +294,25 @@ class FakeLdap(core.LDAPHandler):
         if server_fail:
             raise ldap.SERVER_DOWN
 
+        id_attr_in_modlist = False
+        id_attr = self._dn_to_id_attr(dn)
+        id_value = self._dn_to_id_value(dn)
+
         # The LDAP API raises a TypeError if attr name is None.
         for k, dummy_v in modlist:
             if k is None:
                 raise TypeError('must be string, not None. modlist=%s' %
                                 modlist)
 
+            if k == id_attr:
+                for val in dummy_v:
+                    if core.utf8_decode(val) == id_value:
+                        id_attr_in_modlist = True
+
+        if not id_attr_in_modlist:
+            LOG.debug('id_attribute=%(attr)s missing, attributes=%(attrs)s' %
+                      {'attr': id_attr, 'attrs': modlist})
+            raise ldap.NAMING_VIOLATION
         key = self.key(dn)
         LOG.debug('add item: dn=%(dn)s, attrs=%(attrs)s', {
             'dn': core.utf8_decode(dn), 'attrs': modlist})