yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #14531
[Bug 1302106] Re: LDAP non-URL safe characters cause auth failure
** Also affects: keystone/havana
Importance: Undecided
Status: New
** Changed in: keystone/havana
Importance: Undecided => High
** Changed in: keystone/havana
Status: New => In Progress
** Changed in: keystone/havana
Assignee: (unassigned) => Dolph Mathews (dolph)
** Tags removed: havana-backport-potential
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1302106
Title:
LDAP non-URL safe characters cause auth failure
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone havana series:
In Progress
Bug description:
An Openstack user attempting to integrate Keystone with AD has
reported that when his user contains a comma (full name CN='Doe,
John'), a 'Bad search filter' error is thrown. If the full name CN is
instead 'John Doe', authorization succeeds.
dpkg -l |grep keystone
ii keystone 1:2013.2.2-0ubuntu1~cloud0 OpenStack identity service - Daemons
ii python-keystone 1:2013.2.2-0ubuntu1~cloud0 OpenStack identity service - Python library
ii python-keystoneclient 1:0.3.2-0ubuntu1~cloud0 Client library for OpenStack Identity API
Relevant error message:
Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'desc': 'Bad search filter'} (HTTP 500)
Relevant stack trace:
2014-03-31 15:44:27.459 3018 ERROR keystone.common.wsgi [-] {'desc': 'Bad search filter'}
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in __call__
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi result = method(context, **params)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 94, in authenticate
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi context, auth)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 272, in _authenticate_local
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi user_id, tenant_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 369, in _get_project_roles_and_ref
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi user_id, tenant_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 475, in get_roles_for_user_and_project
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi user_id, tenant_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/assignment/core.py", line 160, in get_roles_for_user_and_project
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi group_role_list = _get_group_project_roles(user_id, project_ref)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/assignment/core.py", line 111, in _get_group_project_roles
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi group_refs = self.identity_api.list_groups_for_user(user_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 177, in wrapper
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 425, in list_groups_for_user
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi group_list = driver.list_groups_for_user(user_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 154, in list_groups_for_user
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi return self.group.list_user_groups(user_dn)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 334, in list_user_groups
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi memberships = self.get_all(query)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 388, in get_all
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi for x in self._ldap_get_all(filter)]
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 364, in _ldap_get_all
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi self.attribute_mapping.values())
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 571, in search_s
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi res = self.conn.search_s(dn, scope, query, attrlist)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 502, in search_s
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 495, in search_ext_s
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 491, in search_ext
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi timeout,sizelimit,
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi result = func(*args,**kwargs)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi FILTER_ERROR: {'desc': 'Bad search filter'}
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1302106/+subscriptions
References
