yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1155234] Re: emulated ldap enabled improperly handles updates

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 21 Mar 2013 15:20:41 -0000
Reply-to: Bug 1155234 <1155234@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => grizzly-rc1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1155234

Title:
  emulated ldap enabled improperly handles updates

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  When tenant_enabled_emulation is set to true, update operations will
  fail with:

  TYPE_OR_VALUE_EXISTS: {'info': 'modify/add: member: value #0 already
  exists', 'desc': 'Type or value exists'}

  This is because during EnabledEmuMixIn.update, the object is checked
  for an enabled value. When it is true, the _add_enabled method is
  called. This does no checking, and assumes you want to add a new
  member attribute to your LDAP object. Since this is an update
  operation, it's possible the member attribute for that object already
  exists. A simple solution is something like:

  diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py
  index a8b4fda..2ec675e 100644
  --- a/keystone/common/ldap/core.py
  +++ b/keystone/common/ldap/core.py
  @@ -496,19 +496,21 @@ class EnabledEmuMixIn(BaseLdap):
               return bool(enabled_value)

       def _add_enabled(self, object_id):
  -        conn = self.get_connection()
  -        modlist = [(ldap.MOD_ADD,
  -                    'member',
  -                    [self._id_to_dn(object_id)])]
  -        try:
  -            conn.modify_s(self.enabled_emulation_dn, modlist)
  -        except ldap.NO_SUCH_OBJECT:
  -            attr_list = [('objectClass', ['groupOfNames']),
  -                         ('member',
  -                         [self._id_to_dn(object_id)])]
  -            if self.use_dumb_member:
  -                attr_list[1][1].append(self.dumb_member)
  -            conn.add_s(self.enabled_emulation_dn, attr_list)
  +        enabled_value = self._get_enabled(object_id)
  +        if not enabled_value:
  +            conn = self.get_connection()
  +            modlist = [(ldap.MOD_ADD,
  +                        'member',
  +                        [self._id_to_dn(object_id)])]
  +            try:
  +                conn.modify_s(self.enabled_emulation_dn, modlist)
  +            except ldap.NO_SUCH_OBJECT:
  +                attr_list = [('objectClass', ['groupOfNames']),
  +                             ('member',
  +                             [self._id_to_dn(object_id)])]
  +                if self.use_dumb_member:
  +                    attr_list[1][1].append(self.dumb_member)
  +                conn.add_s(self.enabled_emulation_dn, attr_list)

       def _remove_enabled(self, object_id):
           conn = self.get_connection()

  This way modify operation is attempted if the object already exists.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1155234/+subscriptions